[Dshield] You can't be too paranoid...

Jon R. Kibler Jon.Kibler at aset.com
Thu Mar 6 21:40:02 GMT 2003

A true story...

In all the UNIX admin and security courses I teach, I always tell my students that a healthy sense of paranoia is one attribute of a good systems or security administrator. In Philly last week, I found that I should be more paranoid.

Ancient history: 
About a year ago, I got tired of first W98, then W2K crashing my laptop, so I ditched them and replaced the O/S with RedHat. When I did the install, I killed all the standard services (sendmail, DNS, NFS, SNMP, XINETD, etc.) and figured for my purposes -- checking mail via secure IMAP, surfing the web, and logging into systems back home via ssh -- I had a reasonably secure system. After all, everywhere I planned to use the system had secure firewalls I would operate behind.

Modern history: 
So, after over a year without any security problems, I had totally erased the security issues regarding this system from conscious memory -- didn't think I had any. Then last week, I was using the system from my hotel room (which I almost never do), and I happened to notice that my response time was getting to be really pathetic and decided it was time to investigate. 

First I looked at my disk activity light, and it was on just about solid -- not particularly unusual considering the pathetically slow drives IBM puts in most laptops. So I did a 'vmstat' expecting to find that I was I/O bound, only to find over 90% CPU utilization, mostly in system processes. 

At that point, I did a mental "Oh Sxxx!" and issued a 'netstat' command -- which after 5 seconds did not respond, so I yanked the network cable from the back of the laptop. When netstat finally responded (about 20 seconds later), it showed that I had over 1000 network connections in the 'TIMED_WAIT' state -- 2 or 3 expired connections on just about every WKS port.

Well, I hadn't been hacked (yes!), but I had been probed from one end to the other. Then it occurred to me -- I wasn't behind a firewall and was not NATed -- my IP was a fully routable global IP that anyone could reach -- and the hackers had found me in under 20 minutes. UGHH!

Today's news:
Now I have the task of putting a firewall and IDS on my laptop -- just in case I ever have to use it again from an insecure location. Something I probably should have done to begin with. No, on second thought, something I should have done to being with, no "probably" about it!

You can't be too paranoid...

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA

More information about the list mailing list