Forgot your password?
typodupeerror
The Internet

Honeynet Project: Blackhat Attack Stats 143

Posted by Hemos
from the shivers-down-your-spine dept.
edsonw writes "The Honeynet Project published an interesting paper about their work. They say: "We are psyched to announce our newest paper , Know Your Enemy: Statistics. Based on eleven months of data, we analyze the past and attempt to predict the future (...) We demonstrate just how aggressive the blackhat community is.""
This discussion has been archived. No new comments can be posted.

Honeynet Project: Blackhat Attack Stats

Comments Filter:
  • by Anonymous Coward
    Between April and December 2000, seven default installations of Red Hat 6.2 servers were attacked within three days of connecting to the Internet. Based on this, we estimate the life expectancy of a default installation of Red Hat 6.2 server to be less then 72 hours. The last time we attempted to confirm this, the system was compromised in less than eight hours. The fastest time ever for a system to be compromised was 15 minutes. This means the system was scanned, probed, and exploited within 15 minutes of connecting to the Internet. Coincidentlly, this was the first honeypot we ever setup, in March of 1999.

    Ok, that's good. Using the scientific method.

    A default Windows98 desktop was installed on October 31, 2000, with sharing enabled, the same configuration found in many homes and organizations. The honeypot was compromised in less than twenty four hours. In the following three days it was successfully compromised another four times. This makes a total of five successful attacks in less than four days.

    BULLSHIT. The Redhat server gets tested default install, out of the box. For the Win98 PC, they perform a default install and then, "oh, let's turn on file sharing, because that's what every newbie user does when they set up Win98". NOT. File sharing is NOT enabled out of the box on Win98. You might as well say "Well, let's take this FreeBSD default install, and we'll set the root password to 'password', and then we'll change the prompt info for all the daemons to say enter 'root' for username and 'password' for password you l33t h4XX0r!! yes, let's do that and see how long the box survives."

    This is what we call a double standard. However, they can't say that the NT box was 0wn3d, and they didn't even try Win2k's grip (it's a bad mother fucker).

  • by Anonymous Coward
    I was under the impression that you distinguished between Blackhats and Script-kiddies, but the white paper seem to assume that all attacks are from blackhats. The attack without OS-ID seems kiddish to me, as does scanning for specific vulnerabilities.
    Enlighten me, s'il-vous-plait...
  • by Anonymous Coward
    Uh, I think we all added
    127.0.0.1 goatse.cx
    to our /etc/hosts long ago.

    Thanks for inquiring about open source. Keep it up!
  • by Anonymous Coward
    So, basically what you're saying is that you don't want to put in the effort to learn enough to put your boxes on the Internet and not be compromised.

    I look forward to receiving sunrpc scans from your machines.
  • by Anonymous Coward on Thursday July 26, 2001 @04:14PM (#2190377)
    The fastest time ever for a system to be compromised was 15 minutes.

    So what? Nearly all /. stories are compromised within 21 seconds of being posted.
  • by Anonymous Coward on Thursday July 26, 2001 @04:44PM (#2190378)
    I put a pair of OpenBSD systems up naked (no firewall, no router, no IPF) and untouched on the net a year and a half ago. I'd patch within a couple of days when something was posted; but no remote root exploit was ever in the patches, so I wasn't too paranoid.

    Result: 0 breakins for a huge number of attempts. NetBIOS, rpc, dns, and a LOT of ftp attempts.

    Not surprisingly I'm AC'ing this post to preserve a) bandwidth b) sanity and c) track record.

    I'm VERY grateful to Theo DeRaadt and his crew and the contributors for doing such an amazingly good job. More power to them.

  • Naw, they just painted them red!

    ttyl
    Farrell
  • I've always seen script kiddie as a noun and blackhat as an adjective, and this sort of correlates with the usage in the article ("blackhat" as a noun for "attacker").

  • When I was a kid, we had to bite on aluminum foil to generate electricity to power the motherboard. The motherboard was tied to my chest with my chest hair because we couldn't afford anything else. We couldn't afford network cable so I would lick my fingers and use my arms as thicknet cables. When my brother was born they put a vampire tap on my left arm to extend the network.

    -Paul Komarek
  • All of our apache servers were hit about 29-35 times with the recent IIS bug (the .ida one). Several times from the same client.

    Our NT IIS servers where hit 0-2 times.

    Duh!
  • The only difference for most of us is that the giver is first, and it loads much faster.
  • I think if I were paranoid about being hacked before being able to download the updates, I'd think seriously about booting the machine in single-user mode and then doing my downloads. Much less risk that way. But unfortunately, this method isn't of much use to those who aren't very familiar with Unix administration.


    --
  • My FreeSCO system is an old Packard Bell 486DX2/66 with 20MB of RAM just sitting on a cardboard shelf I made inside a bookcase I use as my system rack. This system has only one ISA slot that holds my NIC and COM1 has an external US Robotics 56K baud modem. No monitor, mouse, or keyboard required. I just turn it on first and turn it off last. It work great!
  • I get scanned a few times every time I'm logged into my dialup service. Of course this has increased a lot since my local isp was sucked into Earthlink. :-(
  • For RH 6.2, before you even connect it to a network, I reccomend you have a copy of Bastille Linux [bastille-linux.org] (Which is actually a script, not a distrobution) on hand. This is great for newbies.

    As a general rule:
    run the "ntsysv" tool, and disable portmap, httpd, bind... hell disable EVERYTHING, and begin turning on things as you need them. (If you don't know what it does, turn it off, if something stops working, you know what that was and can turn it back on.)

    Comment out everything in the /etc/inetd.conf file (which only appears in a server install).

    Have nmap [insecure.org] on hand, and scan 127.0.0.1 (yourself) with it, to make certain your ports are closed. Nmap should only find port 113 (and 22 if you install SSH). Sure, you can have more open ports after that - but that is providing you know what they do.

    There is no way I can give you enough advice on how to secure a machine on a simple /. post, but the above is a good start for Red Hat 6.2.
  • Wow. If that's true, this is just crazy.

    It is true. I witnessed the very same happen to a Red Hat 6.2 machine in 10 min. The next fastest I saw was 4 hours. I have 20 Rh machines now, and when I first started with them I did not know how to secure them properly.

    I found out just how fast someone could "own" them.

    I agree, the services should be OFF by default, just like Open BSD. Maybe the powers that be will listen one day.

    For now, I install on a non-networked machine, install the patches off CD, and secure the machine before attaching a network cable.
  • The SDMI consortium? No, wait, that was something else...

    Remember: it's a "Microsoft virus", not an "email virus",

  • Not an "emacsitor". Not a "viitor". Those aren't even words! [gnu.org]

    Remember: it's a "Microsoft virus", not an "email virus",

  • by ethereal (13958) on Thursday July 26, 2001 @03:48PM (#2190391) Journal

    Some ideas:

    • Get on the security mailing list for your distribution, and religiously update. Some distros are better than others at keeping you informed; Debian seems to do pretty well. I don't know about RedHat.
    • You can mount /usr and /usr/local read-only to avoid some simple automated attacks, but you have to first move the /share directories off of those onto your /var partition. I tried this strategy for a while but ultimately gave it up as too cumbersome to use in the long run. I'd be interested in seeing a distribution adopt that approach in general, though.

    The 15-minute compromise was a little scary - at that rate, you don't have time to download RH 6.2 updates and apply them before your box is 0wn3d. Maybe start off with a more up-to-date distro so as to decrease the risk of attack during the install process? Or, you could download all the security updates onto an existing machine, then take down your external connection, install from the RH 6.2 CD, copy over and apply security updates, and only then bring up the link to the outside world.

    Remember: it's a "Microsoft virus", not an "email virus",

  • by B.D.Mills (18626) on Thursday July 26, 2001 @03:59PM (#2190392)
    A simple analysis I would like to see would be to correlate the probes and attacks over the time of the week when they occurred, with granularity measured to the hour, possibly with a 3-hour moving averages. This is likely to provide significant results.

    I once analysed the spam I received over the course of a month, and even this very limited data set revealed clearly that more spam is sent on weekends, with Sunday recording twice as much spam as Thursday. Probes and attacks are likely to follow a similar statistical pattern, in part because spammers and blackhats are an overlapping community.
    --
  • You're missing 4 things ;)

    a) stay uptodate - apply patches like there's no yesterday

    b) use an IDS like snort

    c) run logchecker and AIDE

    d) use libsafe around net-listening daemons.

    Then you'll be in the right league; whenever you get emails off these you're expected to *read* them, too.

    Me, I'm getting portmapper, FTP and DNS in approximately that order; I've also had quite a few telnet scans following the recent vulnerability in telnetd as well.
    ~Tim
    --
    .|` Clouds cross the black moonlight,
  • The fact remains that you shouldn't connect an insecure system to the Internet. It will get cracked in less time than you think. I used to send an email to abuse@* for every attempted connect to my webserver on port 111 (rpc). It got so tiresome, that I stopped bothering. I did get to hear some interesting stories though. A guy in Israel left his laptop on over the weekend, etc. Most of the compromised boxes were default redhat installs on a dedicated connection, i.e. ethernet in a dorm room, dsl or cable. Here's one of my favorites, I received this from a security admin that works at a very prestigious school with a really good CS program with some really bright students, whom you would think are better than this, somewhere in the silicon valley, in the vicinity of Palo Alto ;).

    You are receiving this in reply to your message last week alerting us

    to a port 111 scan originating from as system in our residential dorm
    network, *.*.*.* (hostname.domain.edu). Our investigation
    indicates that the system had been compromised by an outside intruder
    within hours of being installed through a port scan similar to the
    one subsequently launched from that system. The system has been
    removed from the network and is being reinstalled with a more secure
    configuration. We will be attempting to trace the intruder and may
    contact you again if successful.


    So here's a hint, learn how to use your OS before you put it on the Internet. If you're a linux fan, figure out IPTables and implement it. If you're into BSD or Solaris, use IPF and really learn it. Download the security updates for your system and apply them before you put it on the Internet. Air gap security is the best time. When you're done with your box, you should only be running a late version of (Open)SSH and whatever services you explicitly want people to connect to. Inetd should be turned off, for the most part. Unfortunately, system security is not easy. This is why it pays to be a script kiddie. They don't have to know how something works, they just need to use a script against as many boxes as possible until they find a weak one.
  • Yes, I bought a bumper sticker at Defcon that reads "My other computer is your linux box."
  • by Restil (31903) on Thursday July 26, 2001 @04:17PM (#2190396) Homepage
    What makes you think that they're not USING your system? Certainly, they might not be formatting your HD or erasing your files, but consider the fact that if they have root access to your machine and you don't know about it, then its a perfect location to work from while they scan and exploit other systems.

    While they have access to your systems, they can also sniff out passwords and gain access to other systems on your network, they can eavesdrop or log outgoing traffic and listen for something interesting, all of which they can do without ever making themselves known to the victim.

    The attacker may never do anything "malicious" to a system that he comprimises, but I can tell you for sure, no part of his activities can be attributed to "good will".

    -Restil
  • I don't think a firewall is good enough a reason not to care about the security of the backend network.
  • please, someone encourage me to hack the RSA challenge [slashdot.org]! I need the money.
  • Are there any distros with security tools installed by default?

    Mandrake now ships with Bastille.
  • Bastille is a way to beef up your system security. I believe it was actually developed for Red Hat, but RH doesn't include it. It is a script, and I think it probably has a GUI front end by now.
  • If you put up a machine to get hacked (a honeypot), aren't you partially responsible for any attacks to other machines that blackhats launch from that machine?

    This is explained in the main paper:
    http://project.honeynet.org/papers/honeynet/ [honeynet.org]

    To sum it up: they don't let spoofed packets out of their network, and limit a machine to 5 outbound connections (over some time period, I suppose, although it doesn't really say), after which the system is marked as compromised and can then be reloaded, or whatever...
  • My question is, when are distros going to start shipping with all services turned off by default? I can't imagine that any newbie is going to want to have finger, ftp, sendmail, etc running on their box. And for power users (like me), the very first thing I always do is go and turn off every single service.

    Mandrake 8.0 ships like that. It even warns you before installing about what services are running.

    And, I've found the firewall to be tighter than gnat-booty.

    HI Mom!
  • Let me get this straight. They put a box on the Net and it gets cracked. They don't expect that when they re-install and bring it back up that the SAME person wasn't going to hack it again? Or tell his friends about it?

    They say they don't try to determine unique attackers but that is just because they can't, not because they shouldn't.

    John
  • by ajs (35943)
    I love this kind of response.

    Look, the statistics are for a default install of Red Hat 6.2, which is about 1.5 years old now, but is still pretty secure if you perform the "desktop" install and then apply all of the updates.

    If you install 7.1, and then all of the (many fewer than 6.2) updates, it's even more secure owing to: 1) Red Hat 7.1 ships with an ipchains configuration 2) xinetd allows finer grain control over many of the less secure services, should you wish to turn them on.

    Red Hat is not the world's most secure OS, but let's be fair and admit that they do an excellent job of staying on top of what's out there, and providing updates to their customers. It's relatively easy to be an OpenBSD and say "our OS is secure as long as you don't install a web server", but companies like Red Hat are actually trying to solve the hard problem of general-purpose, secure operating systems and server software. If, after over a year of everyone beating on it, exploits are found in the default, unpatched version of their OS, I can live with that, as long as they have addressed the problems.


    --
    Aaron Sherman (ajs@ajs.com)
  • And hey, if you ever have to move, you won't need to pack that machine up at least. Just write, "Fragile: Computer" on the outside.

    ----
  • Use OpenBSD.
  • OK - I admit I only scanned this article - but in their explanation of the honeypot, they seem to indicate that there was no form of a firewall set up in front of the machines in the honeypot.

    I currently run FreeSco on my homebrew firewall, which is a simple NAT affair. It seems to run well, but sometimes I tend to wonder if it (and associated connected systems) might get rooted.

    I check the logs on occasion - but I am not a grand admin - so while I can tell from the logs when a portscan for 138/139 is occurring (SMB) - other possible probes would elude me.

    Or am I reading this wrong - was the honeypot protected with a cheapo (read "consumer") firewall product (like a DLink or Linksys router/firewall)?

    If not, what would the statistics have looked like if it was?

    Worldcom [worldcom.com] - Generation Duh!
  • Well, I know they aren't real firewalls - but that is how they are typically marketed. And your point about static routes is well taken (I actually plan at some point to try to set up a web server for bookmarks, and FreeSco makes it pretty easy to select a port and route it where you want - but it definitely won't be to my main box).

    Worldcom [worldcom.com] - Generation Duh!
  • by cr0sh (43134)
    The article most likely could have been summed up as:

    "If you run a system without a firewall and it is hooked up to the internet, be prepared to be cracked at some point, sooner rather than later."

    All I have to say about this is "Duh!".

    Actually, learning the techniques and tools used could be helpful - I will give it that much.

    Worldcom [worldcom.com] - Generation Duh!
  • The last paragraph of the paper:
    • ...The first goal was to demonstrate just how aggressive the blackhat community can be. The numbers demonstrate the hostile threat we all face. Remember, the Honeynet used to collect this information had no production systems of value, nor was it advertised to lure attackers. ...
  • Are there any distros with security tools installed by default?

    Actually, RedHat 7.1 has some pretty good firewall options available at install time. Even when installing a server, its a good idea to set the firewall security to 'high' to buy some time while customizing it and downloading updates. Then to erase the install-time IPChains rules when you feel safe, enter

    ipchains -F
    service ipchains save

    One thing I *love* about the RH7.1 workstation install is that sendmail is installed, BUT the sendmail.cf is actually missing a line to bind the sendmail listener to the public interface. It only includes a line to bind a listener to the loopback interface. Perfect for pointing Netscape Communicator, pine, or mutt to localhost, and even to support fetchmail without hanging sendmail out on a public interface.

    It made me a little nervous when I had to research and explain the situation to my RHCE instructor when none of us in class could route mail to each other. :)

    Finally, I swear by PMFirewall at www.pointman.org. Even for single interface hosts. That's been my firewall-building script for a couple of years. It configures masquerading as needed, and even knows about NTP's needs. Awesome script.
    --
    Steve Jackson
  • by robl (53384) on Thursday July 26, 2001 @05:52PM (#2190412)
    o There doesn't really exist a distro in the Linux realm that has a high focus on security. There are things like Bastille Linux which is a good overall Q&A tool that will really help you, but I eventually ended up learning ipchains from the command line.

    o Snort appears to be the defacto Intrusion Detector right now. There are a couple of different snort rulesets that you can use out there. You won't have much luck interpreting them unless you find a TCP/IP book to read them.

    o No. I don't know of an easy way. I think it's pretty hard.

    o What's the point?

    The point was that the HoneyNet leaves holes in their firewalls and their boxes. They turn on sharing in the Win98 box so they can monitor and detect the traffic and the new techniques. A default RedHat 6.2 box not firewalled is pointless. A RedHat 6.2 box with the latest security updates and with a firewall or with some nifty IPchains rules is still pretty good.

    The point is that if you use 6.2, you need to lock it down before you go letting it serve your email, or your webpage, or your dns domain. Heck, and it's not just 6.2. Both 7.0 and 7.1 do have security flaws in them.
  • a statistician(is that a word?) waded through a pool of water that was on average 10 inch deep. He drowned.

    //rdj
    1. Connect your new machine to your dsl/cable modem/whatever, and boot up.
    2. Your computer says hallo DHCP server, Mac address <fiddly foo> here, what's my IP?
    3. DHCP server responds hallo <fiddly foo>, you're 192.168.1.1
    4. [H4x0r3d system on the same ISP eavesdropping: a-ha! another victim!]
      hallo 192.168.1.1, how 'bout a nice juicy apple?
    5. Your machine: what is thy bidding, my master?


    --
    I have no fin
    no wing no stinger
    no claw no camouflage
    I have no more to say...
  • Gives pizza-box a whole new meaning...
  • I just got around to "installing" MonMotha's iptables firewall [dyndns.org]. I'm really quite pleased with it considering I had it configured and running within 5 minutes. It's really just a configurable script to apply iptables rules, and I hardly had to make any changes. For example, I need NFS and FTP within my LAN, but I don't want the outside world to be able to see it. Easily done with this script. Plus it has other features, like protection from ping flooding. It's not the last word in security, but for someone on a little dialup system with a few computers connected, it's a hell of a lot better than nothing at all.
  • Even though they made "no attempt to publicize" it, they also made no attempt to hide it.

    But that was the point of their experiment. I'll be you dollars to dimes that the number of computer users who throw out-of-the-box machines up on a network far outnumber the users who secure their boxes before putting them in public reach.

    It's true that having all these machines on the same network can cause inflation of their numbers. If I were a script kiddie and discovered a variety of machines with a default installation on a network, you can bet I'd have a post-it note on my computer with that network's address. The Honeynet Project looks far from being truly scientific, but it provides a view of the worst-case scenario.
  • It is insane to continue shipping Linux distros as presently formulated. No disrespect to projects like Bastille, but ordinary users shouldn't have to do this stuff. Would someone (RedHat are you listening...) like to ship a hardened Linux. I'll buy it.

    You've obviously not tried RedHat 7.1 then (I forget if it was in 7.0 or not). Very slick installer, and on the way it asks you what kind of firewall you want "secure, medium, none", and has an option for specifying rules by hand if you know what you're doing. Exactly what you want. :)

    Of course, that's not the only thing that needs doing, and RedHat has come under fire in the past about services running by default etc. IME they take this very seriously and continue to improve all the time. Part of the problem is newbies who get RedHat, cos that's what they've heard of, do a full install (which yes, does install everything - including all those daemons), don't bother keeping up to date with patches (which is now very easy to do with RedHat's up2date agent), and then get rooted. Hopefully with the way things are going this won't be so much of a problem.

  • Is the cat dead or alive?

    ________________________
  • If the most common way to patch a Red Hat system is by downloading patches through the Internet, how can someone get a RH system up and running without it being compromised in the process?
  • You have to remember, these people knew WHERE to look to attack this thing. Comparing the attack to your fire dept or something similar isn't fair, just because they don't know where exactly the emergency is going to break out. I guess in the same vein, they are pretty sure they are not going to get called for a fire on the opposite coast or something.
    Food for thought.
  • by ^DA (82715)
    "My question is, when are distros going to start shipping with all services turned off by default? I can't imagine that any newbie is going to want to have finger, ftp, sendmail, etc running on their box. And for power users (like me), the very first thing I always do is go and turn off every single service."

    Trustix does this. Or at least with very few (and securely configured) services by default.
  • An easy to install IDS?

    I would suggest using Snort (http://www.snort.org). It is not very hard to setup and the footprint on the box is pretty light weight. Also the user community around Snort is very responsive, there is a mailing list that is heavy traffic but good answers to questions can be found there (http://lists.sourceforge.net/mailman/listinfo/sno rt-users). Also Dragos Ruiu has written a FAQ located at: http://www.snort.org/FAQ.html

    As for a distro that has security built in? There is always OpenBSD (http://www.openbsd.com). Also Linux-Mandrake contains Bastille (http://www.bastille-linux.org/) which is a Linux hardening script.
  • by Apotsy (84148) on Thursday July 26, 2001 @04:50PM (#2190424)
    These numbers are meaningless. Take a look at this paragraph:
    The Honeynet network, the network used to capture data, is a basic network of commonly used operating systems, such as Red Hat Linux or Windows NT, in a default configuration. No attempts were made to broadcast the identity of the Honeynet, nor was any attempt made to lure attackers. Theoretically this site should see very little activity, as they have little value. However, attack they do, and in extremely aggressive manner.
    Even though they made "no attempt to publicize" it, they also made no attempt to hide it. Crackers would surely figure out very fast machines with IP address in a certain range are part of this project. Boxes that are set up as some sort of a "challenge" always receive more attacks than ordinary machines. Therefore, these numbers are skewed.

    A better project would be one that had a lot of machines from various volunteers all over the internet set up and collecting statistics. That way, no one could tell just by looking at the IP address whether a machine was part of the project or not. A more random sampling like that would give a much more accurate picture of how often the average machine-on-net can expect to be attacked.

  • D00d, your firewall sucks. I hacked my way in like 10 seconds. Plus your root password is to damned easy. Couldn't you think of anything more original than h0t4n4ls3x4me?
  • by ct (85606)
    Bastille is a set of Perl scripts that walk you through the process of securing/'hardening' your system. Very much like a wizard, it asks you if you want to do 'A' with an quick explanation of why you should an when you shouldn't do so.

    http://www.bastille-linux.org/ [bastille-linux.org]

    Mandrake 8.0 does include a GUI front end for it, however it does have a text mode 'menu-ish' system if you don't want the Graphics.
  • I hope this paper serves as a wakeup call to users, but it must be covered in mainstream media outlets for that to happen

    But Slashdot is mainstream media ... oh, sorry ... you must have meant MSNBC [msnbc.com].

  • Try Mandrake - it allows you to select a security level on installation. You don't have to be a guru to harden the system, just select the level of paranoia at which you would like to operate.

    Or if you are really concerned about security install OpenBSD.

  • It seems though Black Hats are described as "aggressive", they aren't particularly damaging; if you are a nobody, then you will be attacked and exploited quickly. However, lots of nobodies live without noticing this (?). Certainly it's unsettling, but something wierd is going on if all these "malicious" people have lots of power and don't use it. Makes me more friendly towards protocols that depend on goodwill for success. There's lots of stuff that is easier to do insecurely than securely, and sometimes this straddles feasible and infeasible.
  • by renard (94190) on Thursday July 26, 2001 @04:47PM (#2190430)
    Good question - in fact it's the Honeynet's FAQ No. 5 [honeynet.org].

    To summarize: Yes, but you can't launch outgoing attacks from any of the honeynet machines (they're careful that way).

    -Renard

  • I think Linux is already bankrupt. I'm not sure why it hasn't filed yet... :-)


  • Aw heck. Why not just go run OpenBSD which is secure by default? There are still root comprimises for local attackers but a few patches later that's taken care of. All in all... it's easy when you use a superior tool
  • You're right. Since RedHat 6.2 you can choose between server and workstation setups. Perhaps they should make more categories (I mean, if RH is to turn finger ON, which use are they aiming at?). Reading the article, I really don't get the feeling that connecting is very safe. I even read stories on dial-up-dynamic-ip-adress attacks, I mean, it -is- the wild west out there.
    --
  • The problem is that you don't know what they're doing with your system.

    A co-worker of mine discovered earlier this year that his Red Hat workstation had been rooted. They had taken over an infrequently used user-level account and were using it to run an IRC server with which to coordinate automated DDOS attacks. So his machine wasn't seeing a whole lot of traffic, nor was it, itself, damaged, but it was being used to cause a lot of trouble for other people.

    Interestingly, also, apparently some kernel patches had been applied, because commands like "top", "ps -ef", and "ls /proc" did not show the IRC server process, which nevertheless was there if you knew very specifically what to look for.

  • Not in this case, because a safe copy of diff (executed from a read-only floppy made at the time the system was first built) said that there were no differences between the installed copies of ls, top, and ps and the copies on the RedHat 6.2 CD.
  • answer this:

    why is it that the program/application cannot open the port when it is ran and then close the port when i kill the program???
  • Small improvement: Install, disconnect net, disable services, set up Ipchains (or iptables) to allow only connection to your vendors update site, connect, download upgrades, open your iptables where public access is really needed. Such Iptables scripts should be part of every distribution!
  • Are services up during an install ? Maybe one should ALWAYS have a firewall for the initial install and patch period.
  • by lamontg (121211) on Thursday July 26, 2001 @04:58PM (#2190439)
    The 15-minute compromise was a little scary - at that rate, you don't have time to download RH 6.2 updates and apply them before your box is 0wn3d.

    Set the machine up behind NAT. Or, install it and turn off all of the services (use lsof -i to check) and then download the patches.

  • by SuiteSisterMary (123932) <slebrunNO@SPAMgmail.com> on Friday July 27, 2001 @05:34AM (#2190440) Journal
    4 EASY fixes that people are too lazy to do
    You just refuted your own statement, son. What's the point testing security measures that, say, 80 percent of people aren't willing or able to do? That wasn't the point of this. A lot of people are told by the Linux evangelists 'just pop the CD in, follow the instructions, and the way to Paradise is clear.' So they popped the CD in, followed the instructions, and found out that Paradise is a cold, dark place indeed.
  • You're a damn fool if you install an OS on a box live on the network. Install the OS off the network, secure it, then put it on the network.

    You're also a damn fool if you run public services that aren't nice and cozy between two firewalls in a DMZ. You can't stop all attacks, but you don't have to spread your legs and beg for one either.

    Derek
  • I can pack down a RedHat box as tight as any other distro. If you expect ANY OS to be default secure and don't make an effort to lock it down, you deserve to be cracked.

    Derek
  • The Honeynet project was set up to demonstrate the threat of hacker attacks. I noticed throughout the report a certain amount of rile-'em-up sensationalism. In other words, although the data collected and their analyses are certainly important and extremely valuable, they should be taken with a grain of salt.

    Although I'm probably going to clean my unprotected RedHat 6.2 box before I connect it to the 'net again. :)
  • ... twice a honeypot has been compromised without Honeynet administrators alerted in real time. We did not detect the successful attack until the honeypots initiated outbound connections.
    I wonder if this wasn't just a toshiba laptop that phoned home [slashdot.org].
  • by cfreeze (146454) on Thursday July 26, 2001 @03:33PM (#2190451) Homepage
    I would like to see a corelation study of this information against postings to BugTraq. Information can be a two edge sword.
  • Or am I reading this wrong - was the honeypot protected with a cheapo (read "consumer") firewall product (like a DLink or Linksys router/firewall)?

    It didn't say, but I doubt it...even the really cheap firewall/routers block all incoming traffic by default. Blocking everything would pretty much defeat the purpose of having a honeynet (to learn from getting cracked).

  • The problem with secure Linuces is they are pretty boring for most people. With Red Hat, you get so many bells and whistles with the basic install. In case you haven't noticed, features sell software, not security.

    In fact, the best, most secure OS's have hardly any features at all other than basic command line programs. To create a secure system, you should start with a stripped down OS and only turn on the services and run programs that you need. That way, you know your system and everything that is running on it.

    Start out with the basic Debian system(~15MB), and add the software you want. You'll have to understand any services you run(HTTP, FTP, SSH, etc) and you'll have to install and enable those services yourself.

    Even better, go with OpenBSD. There hasn't been an OpenBSD box(default install anyway) that has been rooted in the last 4 years. With this report that shows how boxes are routinely scanned in the first 72 hours they are on the net, the OpenBSD statistic looks very impressive.

    As long as bells and whistles sell software, we will always have security problems. I don't see the emphasis on features going away anytime soon either. Thus, security professionals will always be in demand and stories about crackers and virus authors will continue to be commonplace.

  • Wow, so a Unix-like operating system without any services running is free of security holes?? Amazing.

    I heard the other day that no powered-down Windows NT system has ever been remotely compromised. That's almost as impressive.
  • by Alien54 (180860) on Thursday July 26, 2001 @04:28PM (#2190460) Journal
    My question is, when are distros going to start shipping with all services turned off by default?

    Of course, it is not Linux, but there is always OpenBSD [openbsd.org]. OpenBSD supports binary emulation of most programs from SVR4 (Solaris), FreeBSD, Linux, BSD/OS, SunOS and HP-UX.

    That said, I tend to advocate being exposed to as many distros and variants as possible. Load em up on a spare box, blow them up, etc.

    Educational, if nothing else.

  • Are services up during an install ?

    Unless things've radically changed since when I installed RH 6.1, the answer is no. You're running off a barebones system that has the software required to do the install and very little else.

    If you're paranoid (with that 15 minute figure implies that you should be), you can force the first boot session of the new Redhat system to be at a runlevel that doesn't start up networking. Then you can leisurely edit config files so that no services get started. Kick the machine into a regular runlevel, download the patches, apply them, and then carefully reenable services that you really, really need.

    I will admit that it's not the easiest solution, but it should work (barring a remotely exploitable networking bug in the kernel or client software), and it doesn't require a firewall.

  • by Erasmus Darwin (183180) on Thursday July 26, 2001 @04:32PM (#2190462)
    i would be interested how well they hide them - that is is the domain name of the network something which would attract their attention ?

    If it's anything like what happens where I work (we're a manufacturing company in a non-tech related company), even the machines without DNS entries get scanned regularly. Most of the time, it looks like they're just scanning a single port on a range IP addresses in order (our firewall has a pair of sequential addresses assigned to it, so both attempts show up right next to each other in the log file). My guess is that they aren't even bothering with DNS -- they're just scanning anything and everything that might have a security hole in it.

  • sorry for the bad link. The real link is:

    Linux Summer, by Justin Cheung [ocamd.com]

    I'll post some more info about Linux security over at http://www.ocamd.com/articles [ocamd.com]

  • I would like to see a corelation study of this information against postings to BugTraq. Information can be a two edge sword.

    It's true - the best, most original hackers probably read BugTraq religiously, looking for possible avenues to exploit. The best security admins are also looking at it (ex-hackers?). Within a day of posting, the experts know about possible exploits.

    In a short while, the expert hackers could use this information to break into vunerable systems. It would be nice to say that all systems vendors are now patching their systems, but it depends on the system...

    Within weeks, others are automating the bug detection - either for the purposes of security (detecting it) or intrusion (exploiting it). Scripts and other tools become availible.

    Script kiddies get a hold of them, and you see a dramatic rise in the number of attempted exploits - this takes 1 to 2 months (I've seen a graph somewhere). It takes time for an exploit to go from a theoretical exploit on BugTraq to a program-driven exploit that your standard hacker can use.

    At this point, the software or systems programmers of certain companies simultanously gear up their patch efforts and PR efforts.

    After some time, the patch is availible (hopefully, before the script-kiddie exploit curve reaches the critical point). Good system administrators and users apply the patches. The script-kiddie curve goes down, because they get bored scanning for the few systems that haven't installed the patch.

    And then, there's the poor administrator or user that never checks for patches, or simply has to try out patches for a while before applying them across the enterprise. Eventually, the script-kiddie and this guy's system will meet.

    That's probably the corelation that will be found - a nice curve showing exponentially rising exploit attempts after a post to BugTraq, reaching critical after a month or two, then a sharp dampning after the patch is released, never declining to zero. If you search, you may even find a similar graph or study.

    The answer isn't to restrict information, just be aware of this extra information, and place yourself further up the curve.

  • RedHat 7.1 ships with very few services on with the "workstation" install. Xinetd is not even part of the install AFAIK.
    -
  • by aussersterne (212916) on Thursday July 26, 2001 @04:48PM (#2190473) Homepage
    I'm a fairly proficient Unix/Linux admin, and I was fighting script kiddies left and right on my home machine for several years (I got rooted twice over three years). I was running my main Linux box with masquerading and filtering for a couple of other PCs and my laptop, at first on ISDN and then on cable. The only reason I didn't install a dedicated firewall at home all that time was because it felt cumbersome, like it would take up extra space and electricity and just be overkill for the small "home" network sitting behind it.

    But finally I just got tired of being scanned all the time and seeing people always trying things, so (not wanting to shell out $$$ for a commercial firewall/router), I got some spare parts: a 486DX4/100 board, 16MB ram, a floppy, and two 3Com 3c509 cards. Basically, spare parts.

    I bolted the parts all into a cardboard box (it works, just find a stiff box, poke holes in it with a screw driver, and use washers with your screws). Then, I put Freesco [freesco.org] (which is Linux-based) on a floppy disk and put the box between my local network and the outside world.

    It's been running for a year now and I haven't even thought about it since. Not a single outsider has even come close to touching my PCs -- the Freesco 486-cardboard-box firewall/router has worked very well and I have yet to have to manually reboot it.
  • by sfe_software (220870) on Thursday July 26, 2001 @05:50PM (#2190476) Homepage
    ...just how often attempts are made on systems. My webserver runs RedHat 6.2 and ipchains, and so does my home firewall (cable modem). I constantly see NetBIOS attempts, which of course have no effect. My home system has a dynamic IP, but I get about the same number of attempts on both setups (about 30 attempts per day), all unique source IPs, most resolving to DSL and cable providers.

    A friend using dialup receives about 20 attempts per day, also Linux/ipchains, and of course also dynamic IP. This is most likely random scans for vulnerable Windoze boxen...

    I have to wonder, with 20 to 30 attempts per day on my own systems, how many Windoze boxen are comprimized each day, with the owner probably knowing nothing about it? I suspect the attackers would install a trojan of some sort for later use...

    I also log other attempts, but it seems the NetBIOS ones are the most common. They all follow the same pattern, with three attempts. The second attempt is 2 seconds after the first, and the third 1 second later (mind you, ipchains is set to DENY, so the attacker apparently has a very short timeout set). The pattern suggests either the same hacker tool in use, or (more likely IMO) perhaps a worm seeking more systems to infect...

    I just find this disturbing; more and more home users run Windoze with cable/xDSL and are staying connected all the time, with no firewalling. Some run home networks and thus have NetBIOS enabled over TCP/IP...

    I'm not sure what my point is, other than to corroborate with the article. Security by obscurity especially doesn't apply in this case (I have a dynamic IP thus it's not likely I'll be attacked - which is no longer the case). Not to mention the false sense of security some Linux users have (eg, those who install RedHat 6.2 and keep all defaults, with FTP/telnet open, etc). I've seen many a stock RH box comprimised in less than a week.

    - Jman
  • I'm not all that suprised at the agressiveless of blackhats. There are some extremely frightening statistics though:
    we estimate the life expectancy of a default installation of Red Hat 6.2 server to be less then 72 hours. The last time we attempted to confirm this, the system was compromised in less than eight hours. The fastest time ever for a system to be compromised was 15 minutes. This means the system was scanned, probed, and exploited within 15 minutes of connecting to the Internet.
    I've been doing home network consulting in an unofficial capacity, for my co-workers at a major telecom equipment company - where you'd epect the engineering staff to be extremely technically knowlegable - and I've been frightened to find the number of home users - even technical people - who don't realize the need for proper security. It indicates a great failure of user education in the internet comunity. I hope this paper serves as a wakeup call to users, but it must be covered in mainstream media outlets for that to happen

    --CTH
  • If you put up a machine to get hacked (a honeypot), aren't you partially responsible for any attacks to other machines that blackhats launch from that machine?

    Trolls throughout history:

  • by YoGi Beretta (240183) on Thursday July 26, 2001 @06:10PM (#2190482)
    Really there isn't, I always keep a good old ax right next to the cat5 going to the router, and if theres ever hacking going on, BAM chop dat sucka into peices and the bitch never knows what happened

  • How to set up your own honeypot
    This [rootprompt.org] is another interesting article on building your own honeypot.
    Or paste: http://www.rootprompt.org/article.php3?article=210
  • Crackers would surely figure out very fast machines with IP address in a certain range are part of this project.

    Seems to me that the Honeypot boys (and, of course, gerls) might have put some flagitiously powerful boxes emulating some more modest boxes on their little lan.

    Even their website is so, well, modest, anyone would be taken in.

    I take it that the IP of honeypot is a world away from their actual honypot?

    And on to a security question - is TurboLinux Server harder than RH or Debian? I don't want to spend the dollars without knowing. Answers on a postcard please to McDermott, Guyana (seriously - there are only two persons with that surname in the country - I'm one and the other is my wife!)

  • Know Your Enemy: Statistics

    I don't need a Honeynet Project whitepaper to tell me that Statistics is my enemy. I learned that in school years ago!

  • "The results were scary"
  • I was happy though that I had my previous SunOS/Solaris ski11z to get me through the partitioning and network setup

    A word of warning if you try to use your Linux and/or Windows skills to partition OpenBSD for the first time. I figured that all 'fdisk' programs work pretty similar, so I didn't RTFM. It turns out that they have a completely different concept of 'partition', and I blew away all of the other OSes on the box. Live and learn.

    It's a nice little OS, though, if a little spartan.

  • First off, I want to make the distinction that those popular NAT boxes aren't actually firewalls. They let you share a single IP, a firewall would protect a whole range of IPs. Just a pet peeve.

    Anyway, if your concern is that a hacker might break through your NAT router, you can generally relax. At it's default setting, these boxes are very secure, IP packets just don't get through them. Of course there are a few caveats. The first is that the box itself can't be flawed. I've never heard of someone hacking one but it could be possible if the engineers that designed it really screwed up badly. More likely though, the only method of attack a hacker can realisticly do would involve any static routes you had set up.

    For example, if you set all traffic to port 80 to route to your server because you wanted to host your own web site, and the web server you were using had a security flaw in it, then the hacker could still exploit it. So there really isn't any get-out-of-being-hacked-free card here, but it does cut down on the number of possible entry points.

    My point is that buying a cheap NAT box is a very good security decision, I encourage everyone who doesn't have something already in place to get one.

  • by blang (450736) on Thursday July 26, 2001 @05:26PM (#2190498)
    I bolted the parts all into a cardboard box (it works, just find a stiff box, poke holes in it with a screw driver, and use washers with your screws).

    A cardbox box? What extravaganza! In my day we were lucky to find a grocery bag to throw the parts in.

    A grocery bag? What luxury! When I was a kid, we were lucky if we had a nail to bolt the motherboard to the wall.

    Nail and board? When I was a kid, we had to make our own transistors, write an assembler, nick a car battery, and if we were lucky, we'd find a piece of string to hold the bits together.

  • by astaines (451138) on Thursday July 26, 2001 @03:55PM (#2190499) Homepage
    Two points :-
    • It is insane to continue shipping Linux distros as presently formulated. No disrespect to projects like Bastille, but ordinary users shouldn't have to do this stuff. Would someone (RedHat are you listening...) like to ship a hardened Linux. I'll buy it.
    • The statistical results are fascinating. It looks like very simple (therefore automatable...) statistical methods could give a very useful warning of impending doom.

      Anthony Staines

  • by Ulwarth (458420) on Thursday July 26, 2001 @03:41PM (#2190502) Homepage
    "The fastest time ever for a system to be compromised was 15 minutes. This means the system was scanned, probed, and exploited within 15 minutes of connecting to the Internet."

    Wow. If that's true, this is just crazy.

    My question is, when are distros going to start shipping with all services turned off by default? I can't imagine that any newbie is going to want to have finger, ftp, sendmail, etc running on their box. And for power users (like me), the very first thing I always do is go and turn off every single service.
  • That non preparation and non attention to security leaves you with a vulnerable and insecure network.

    No surprise really - the statistics indicate that they have a high rate of attack on their unsecured systems yet i would be interested how well they hide them - that is is the domain name of the network something which would attract their attention ? Ceratinly the average home user would be very scared reading these statistics which is the point i guess but makes me wonder are we scare mongering here ?

    If they have gone out and setup a honeypot domain that looks very attractive to the script kiddies then im not surprised that they are attracting attention - having said that my organisation is about the most boring thing on the planet and we have a large amount of intrusion attempts (christ knows if they managed to get in we would get sued for boring hackers to death).

    I still cant help but wonder if this stuff is simple setup to attract publicity and attention ?
  • Good point on the cable modem one but i pose the questions for a good reason - im an @home user and i run Zone Alarm or Black Ice (depending on system rebuild status) - permanently on line and works all day pulling down shit (including ahem warez) average 2 scans a week and thats it.

    My concern is that this threat to home user stuff is like negative media stories on web shopping or credit card hacking, sure it happens but how often ? what are we doing here - scaring the customer shitless ?

    Being security concious is a good thing but i have friends on dial up who worry about being hacked (they might have somm important pron pictures is guess) and they wont buy or pay for anything on line because 'hackers' might get me.

    Have we convinced users that there is such a threat to the point where they will believe any line they are fed ? this would explain why third rate software like Norton Home Firewall is so popular.

    I would like to see some proof these guys have nothing on their systems that appears like a 'hack me' sign to the cript kiddies out there ?

    Myabe i am just cynical
  • by electroniceric (468976) on Thursday July 26, 2001 @03:39PM (#2190512)
    While informative, the paper was a little above the level of reading for those of us who are uhhh "budding" security experts. I've found this problem when trying to install an intrusion detection system on my RH6.2 486 box.

    Anyone have suggestions for references an easy-to-install intrusion detection system? Maybe with a GUI?
    Are there any distros with security tools installed by default?
    Anyone know of an easy way to image a system setup I like, boot it off a CDROM then mount in disks for data?

    Besides, if these boxen were compromised in hours, what's the point?
  • by Tloluvin (471275) on Thursday July 26, 2001 @09:08PM (#2190514)
    They _do_ use your system.

    In _exactly_ the way Restil speculates.

    I do security work at a large, stable not.dot.com. I'm the guy who goes through the IDS and firewall logs. Every single working day. Every day, I see anywhere from two to a dozen probes. _Every_ _friggin_ _day_! Blackhats just scan and scan and scan. Looking for the chump who left his network services turned on after a default install (Redhat version). Or the chump who didn't turn off file sharing (NT version). The ones whose handiwork falls under my eyes generally know very little about the systems and networks they target. They really don't need to. They make up for it in volume and persistence. See a new netblock? Scan it on port 111! You might get lucky! Some box you check out may have that port open! If so, try a nice rpc.statd exploit! The facts that _this_ netblock consists entirely of boxes with that service turned _off_, and that the firewall is configured to drop packets sent to port 111 on the floor anyway, is not a problem. The Internet is just _full_ of populated netblocks! Two seconds later, your script just checks out the next one on the list. While _you_ chat on IRC with your fellow lowlives. :-)

    Once a vulnerable box is found, exploitation is swift. 0wned.

    And then? Well, you probably have no _idea_ of the number of host sweeps like the above mentioned, that I have seen the firewall log records of, where the source and destination ports are identical and privileged (i.e., below 1024). That almost always means that the IP this traffic came from has, itself, been compromised. The poor bastard who is the owner-of-record has no clue what purposes the iron he payed good money for is being used for. None.

    The first time I ever spotted a host sweep in a log, I made a point of finding out as much as possible about the IP of origin. I scanned it, I checked out whether I could connect to ports 21, 23, and 25 (ftp, telnet and mail .. I could), etc. I didn't try to gain _access_. That _is_ hacking, which I despise. But I _did_ try to gain _information_. It was so fucking sad, the picture I finally assembled. The attack came from a RedHat 6.0 box run out of a little one-lung web hosting company in Anaheim. The place was so small that the Administrative, Technical, and Billing contacts I saw in the whois output were all the same guy! No firewall that I could find. The DNS records just _sitting_ _there_, all the routers with router-type names, and functionality blurted out in HINFO records, for Christ's sake! The RedHat itself box was just completely wide open. The connect to port 23 just gave the OS major and minor revisions away. Ditto port 25. And port 21 just about made me fucking cry. It was .. you guessed it .. wuftpd. The banner gave up the branding and version .. which was vulnerable as hell to remote root compromise. How long do you think the blackhat that rooted this box took to get in? 10, maybe 15 minutes, from first discovery? Less?

    That's the picture which has formed in my mind. A world just _full_ of boxes put together by very busy well-meaning, trusting people who just don't _understand_ just how _fast_ they will be rooted if they don't spend some serious quality time to think about how they are going to secure what they build.

    Its the Wild West out there folks. Really.

    BTW, much as I love Linux, OpenBSD-based firewalls just _ROCK_! Ipfilter is _so_ much better than even iptables that there is absolutely no comparison. My firewall resides on an old Pentium-90 shitbox that I bought for $50. It's fast enough for my dialup line. If you have a 24/7 broadband connection, consider an IDS. If snort is good enough for Stephen Northcutt ("Mr. IDS" to peons like me and most of the folks reading this :-), then its bloody well good enough for others. And the price is right. :-) If you are looking for an Industrial Strength IDS for the enterprise, I have only one word of advice: stay the HELL away from RealSecure. _Really_.

    "Let's stay safe out there."

    BTW, Hemos: thanks a million for the link. I printed out the whole article (5 pages) and tacked it to the outside of my cube. I also sent the link to my boss, my bosses boss, and the lady who is in charge of security awareness in my outfit. Yes, that means that the dozen or so folks I work with now know my Secret Identity. :P

You are in the hall of the mountain king.

Working...