[Gllug] Have I been compromised??

John Hearns john.hearns at cern.ch
Mon Sep 2 11:46:54 UTC 2002 

On Mon, 2002-09-02 at 13:30, omphe wrote:
> Tom Gilbert wrote:
> 
> >  Not sure if
> > > I'm being paranoid or not.
> >
> > Why do you think you've been compromised? Seeing external addresses in
> > your apache logs is pretty normal, after all =P
> 
> The access.log shows a few entries to ***.***.***.***:6667 (obviously I've
> *ed the real address).  Being a newbie, I read furiously for an hour or so
> and this seems to indicate that someone is trying to access me through/for
> IRC.  Furthermore, my nmbd (Samba netbios) logs show countless unsuccessful
> (I hope) connection attempts.  I'm checking every log that I can, but I'm
> not sure of everything that I should be looking for.
> 
> I've been waiting till I could get Debian 3.0 off of the Linux Format
> coverdisc next month, but I think I'll reinstall something else till then.
> Best practice in terms of learning to secure myself better.  The fact that
> I'm unsure of my security means that I'm probably vulnerable.
> 
Don't get your knickers in a twist!
You've recognised that you don't know enough about security -
and you have come to a good place to ask for advice.
and, hey, you are checking the logs, and trying to figure out what is
going on already. You're two steps ahead of the game.

My advice:

a) don't be in too much of a rush to re-install, unless we can confirm
that you have been compromised

b) 'Hacking Exposed' is an excellent book, IMHO. But take it easy, and
read in small chunks.

c) make sure your box is running some sort of simple ipchains
firewalling rules - and learn about these

More advanced things to learn about:

d) port scanning using nmap - against your own box

e) security scanning using Nessus

f) don't assume that any one distribution is 'more secure' than another,
or that a later distro is 'more secure'.
Yes - of course a later distro will have any security vulnerabilities
fixed up, and yes distros vary in what services they have enabled and
available 'out of the box'. But it still pays to understand what is
running on YOUR box (ahem - I admit fully to not being an expert on
security of different distros)


I'm sure others here will contribute things like Snort and Tripwire.


Hey - this is a good start for a Wiki page on Security?
I will kick it off, with the advice above.
But I don't see the Edit button?
I suggest a heirarchy of  Hints and Tips -> Security ????
then other tips or Howtos can go below Hints and Tips


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list