Picture This: You're sitting at your desk on a warm friday morning. You get a call from the webmaster about a linux box, so you head over to help him out. The webmaster is a bright guy, but a microsoft guy. Very little linux experience at all, in fact the box was set up for him by someone no longer in the company. After figuring out what this box does (acts as a sendmail SMTP & pop3 server for bulk newletters... [not spam] ) you realize it has easily guessable passwords, is outside the firewall, and is running at least one vunerable service (an old POP2 daemon) and some questionable services (sun RPC and appletalk). To top it all off... this box is an old powerPC... My question: What should I do to make sure it hasn't been already cracked? Other Problems: I don't have to time to do a reinstall and set it up correctly anytime soon (maybe in a week I could). It needs to continue working like it has for at least another week (we just sent out a newsletter, and it processes remove requests that trickle in) To free up disk space, the logs were regularly deleted... no current logs exist. It's not my box, so I need to be sensitive of the office politics so no one says something like, "Well, since we can't secure linux, NO MORE LINUX" -Marc
Marc Hughes <hughesm@tomsnyder.com> writes:
To top it all off... this box is an old powerPC...
Well, if it was an x86 box, it probably would have already been hacked. 99% of the tools out there are for exploiting buffer overflows on x86 machines. ttyl, -- Josh Huber
Marc Hughes wrote:
It's not my box, so I need to be sensitive of the office politics so no one says something like, "Well, since we can't secure linux, NO MORE LINUX"
h4x0rs? And I guess an even bigger concern is the office politics things. How do I bring this to the big-wigs in a "good" light?
Rather that highlight that you think the box may have been compromised (because if it has it may be too late, but since the box has been running for some time it will likely continue to run for another week or two), the best approach is likely to indicate that it is time to update the software on the box; indicate that there are updated versions of the SMTP and POP servers availabe at no cost to your company. Also mention that there are also some other tools that could be installed to improve security. Don't raise what could be a false alarm by saying that the box is completely unsafe and should be immediately pulled from the network (then all MS Windows IIS boxes should be pulled according to Gartner who has been accused of being in bed with Redmond at times). Since you have more familiarity with Linux than the current maintainer - offer to head up the effort and put together a small project plan including the transition and training of the webmaster (make your life easier later by spending the time now to train the webmaster and put together some simple easy to use documentation)(not knowing your environment that could be as simple as a todo list on a napkin to a detailed plan with impact checklists etc). Rather than highlight the security holes that you know exist - HIGHLIGHT THE IMPROVEMENTS YOU WILL BE MAKING AND THE IMPROVED SECURITY YOU WILL BE PUTTING IN PLACE. Avoid getting overly technical, use simple easy to understand arguments that highlight the benefits of your proposed improvments. Make sure that the "group" taht owns the machine feels you are helping them, and not taking over for them. You need to make sure that they still feel that they are in control. You need to remain calm and show confidence in the previous choice in using Linux and use this as an oppurtunity to show the support the open source community provides with the constant improvements that are made to open source software. Also insure that you get the webmaster checking the CERT advisories for the software exposed (another reason you need good docs with version and basic config of sendmail etc.). Another great thing is that you can show that the company will not have to outlay any cash - since the software is free. They will have the time to update the software - but think about the time to update if you were running exchange on nt? Either way that is a given. Use the opportunity to highlight the benefits of open source, not the dangers of the internet! Best of luck!
My question: What should I do to make sure it hasn't been already cracked?
Check out snort at snort.org -- the ultimate CYA tool for intrusion detection... Mike p.s. my company sells subscriptions for a 1U linux rackmount intrusion detection appliance that leverages snorts capabilities. It is an excellent alternative to commercial offering's pricing and delivery models - email me for more info.
participants (4)
-
Josh Huber -
Marc Hughes -
Mike Peckar -
Tom Guilderson