[Nottingham] Paranoid already

Lee nottingham at mailman.lug.org.uk
Sun Aug 17 14:17:01 2003


> I also find running "netstat -tpan" pretty useful as it'll tell you which
> program is listening on which port and detail any active connections.
> Particularly useful for checking for backdoors and other nasties :)

Hmm, if you box has been rooted well, then you can't trust tools like
netstat or ps, unless your using tripwire (on a remote host) to verifiy
file integrity, I think I heard the gnu site got hacked the other day,
and certain packages 'replaced' with dubious copies..probably had some
backdoor code injected them(!).

Your best off running a independant firewall, like smoothwall or ipcop,
if you've got a 486 lying around and a couple of network cards, that
work's great... you can always check your logs on the firewall for
anything strange???

Basic rule of thumb is to block any incomming connections, most nat
boxes do that by default, if you really need to have sevices exposed to
the whole internet then use a dmz area to hosts these. dns/udp is a bit
more tricky, so make sure you running the latest  patches for your box
(good idea).

Although this won't help you if your unlucky enough to pick up a trojan
on your box, they can make connections *out* of the network to a
controlling machine.....which can render your brand spanking new
firewall useless in seconds....

Don't think of encryption will save you either, only takes a rooted box,
and a key logger to expose your secrets....

for fun try running zone alarm, you 'll see also sort's of microsoft
background services trying to 'reach out and touch someone' why??? who
knows....you can't even consult the source code to see *why* these
services want to talk....

ah, Bill we Salute you again....

Cheers,
Lee