Q: How should I deal with a security breach?

We have at least four Linux hosts in the math department. Two of them have been compromised, with the intruder leaving a sniffer on the net, which in turn compromised a raft of other accounts.

At this point, we are unable to determine how the intruder got in, nor if this is a quirk of Red Hat 5.1 in general.

A quick look at Red Hat's page does not show up a list of security advisories.

Since I have 30 some Red Hat boxes and currently no firewall, I am understandably nervous.

The compromised machines will be rebuilt on Monday. I have a full backup of one of the affected systems taken the morning after the intruder got in, but before we discovered him.

We don't know at this point how the intruder got root access. Once he did he edited the password file, then installed a directory called "...". In that directory he had a program called linsniffer, which picked up initial packets of rlogin, telnet, and ftp. On top of this, he installed a hacked ls which doesn't show "..." names.

A: Not knowing much about your system and network, I'm not really able to give you anything but general security advice.

Red Hat does have security updates, but they are mixed in among their bug fixes:

http://www.redhat.com/support/docs/rhl/rh51-errata-general.html

I'm not aware of any specific holes in 5.1. There were a fair number of updates for 5.1 that dealt with security, and, of course, there is always the sendmail bug of the month.

The most obovious explanation would be an simple "joe user". The cracker looks for a user with a passwd the same as his user name. Once he has access to the machine, half the battle is over. Once he has the password file (NIS services make it even worse) on one he machine, he can then attempt to crack any weak password via brute force (i.e., throw the dictionary at it).

The use of a sniffer indicates he's looking for passwords to gain access to other machines. Are you running ssh? If not, anyone can read your login attempts. rhosts and hosts.equiv are another common problem. Go through inetd.conf and comment out anything you don't use or understand. (You can always re-enable it later.)

A few final pieces of advice:

Red Hat, like almost all Un*x distributions (both open and closed distributions), comes with every service under the sun enabled. Don't run sendmail, samba, httpd, ftp if you don't need them. Don't allow telnets, rlogins, or ftps from hosts outside your network. Use ssh, if you need to login from outside. Disable or replace finger. If you're not using NIS, enable shadow passwords.

Consider getting a firewall. A low-end Linux machine can be configured to work as a firewall (check out the firewall HOWTO), or use a router as a firewall.

When I was going to school, our main system was broken into and used as a staging ground for attacks on networks in 4 countries. It wasn't discovered until the idiot screwed up the password file, and brought the whole network to its knees.

Why did it happen? Our sysadmin had left 3 months ago, but never been replaced. Student accounts were numbered stu1, stu2..., with no password, for months. Telnets were allowed from anywhere. (As a student, I loved this, but, then again, I couldn't use the lab for a week, and it was 3 weeks before we could print — don't ask.)

There are a number of resources on the Net. Rootshell and CERT, as well as freshmeat.net, come to mind. There are a wide range of tools such as COPS, Tripwire, and SATAN, which can ID holes in your security.