Rookit infections: AARRGH!

[Tom Buskey]

On 5/9/05, Brian <gnhlug at karas.net> wrote:
> Couple of things come to mind, not as resolutions, but as best practices...
> 
> 1, NEVER allow root access via SSH.  You should have to login as a user, and
> then su - to root, or better yet setup a sudoers file.

If you have a user login to the system, you should *never* need to
login as root.  If you have sudo setup (with ALL), you shouldn't need
su either.  root should be able to have a disabled password at that
point, except for single user login (fsck at boot up...).  I haven't
tested that of course & there are issues.

> 2, ONLY allow ssh connections from trusted IPs, not the whole world.

3.  Do not allow SSH v1 protocol.  Only allow v2.  v1 has known,
unfixable, vulnerabilities.

> Those 2 things alone will cut your headache factor down by about 80%

More basics:
    If you don't need the daemon running, turn it off.  chkconfig
--list | grep on helps.

    Run a private firewall that closes all ports; both incoming and
outgoing ports need to be done.  Open up only the ones that need to
be.

    If your ports are all TCP, you can ssh in and tunnel everything. 
Running ssh on a different port protects you from script kiddies that
only scan port 22 but real crackers will ferret things out.  That'll
twart the automatic scanners that are most of the scans.

> If the box has a CDROM, I'd suggest mounting a CD with chkrootkit there, as
> well as copies of ls, lsof, top, (etc).  That way you have a nice read-only
> copy of things that can't be altered.  This makes it easier to remotely
> recover from (and/or detect) such an attack.

In fact, I'd recommend rebuilding from scratch.  You don't know for
sure what's been compromised.  A rootkit detector will only find
compromises it knows about.  There are cracks that are not known. 
Others have been reported to the maintainers but not fixed yet.