[Dshield] You can't be too paranoid...
Jon R. Kibler
Jon.Kibler at aset.com
Thu Mar 6 21:40:02 GMT 2003
A true story...
In all the UNIX admin and security courses I teach, I always tell my students that a healthy sense of paranoia is one attribute of a good systems or security administrator. In Philly last week, I found that I should be more paranoid.
About a year ago, I got tired of first W98, then W2K crashing my laptop, so I ditched them and replaced the O/S with RedHat. When I did the install, I killed all the standard services (sendmail, DNS, NFS, SNMP, XINETD, etc.) and figured for my purposes -- checking mail via secure IMAP, surfing the web, and logging into systems back home via ssh -- I had a reasonably secure system. After all, everywhere I planned to use the system had secure firewalls I would operate behind.
So, after over a year without any security problems, I had totally erased the security issues regarding this system from conscious memory -- didn't think I had any. Then last week, I was using the system from my hotel room (which I almost never do), and I happened to notice that my response time was getting to be really pathetic and decided it was time to investigate.
First I looked at my disk activity light, and it was on just about solid -- not particularly unusual considering the pathetically slow drives IBM puts in most laptops. So I did a 'vmstat' expecting to find that I was I/O bound, only to find over 90% CPU utilization, mostly in system processes.
At that point, I did a mental "Oh Sxxx!" and issued a 'netstat' command -- which after 5 seconds did not respond, so I yanked the network cable from the back of the laptop. When netstat finally responded (about 20 seconds later), it showed that I had over 1000 network connections in the 'TIMED_WAIT' state -- 2 or 3 expired connections on just about every WKS port.
Well, I hadn't been hacked (yes!), but I had been probed from one end to the other. Then it occurred to me -- I wasn't behind a firewall and was not NATed -- my IP was a fully routable global IP that anyone could reach -- and the hackers had found me in under 20 minutes. UGHH!
Now I have the task of putting a firewall and IDS on my laptop -- just in case I ever have to use it again from an insecure location. Something I probably should have done to begin with. No, on second thought, something I should have done to being with, no "probably" about it!
You can't be too paranoid...
Jon R. Kibler
Charleston, SC USA
More information about the list