Security holes, how do hackers get in?

Hi,

I've been told that I may have suffered a hacker attack and also that it could've been because I was running old versions of ssh, ssl, ftp, bind, sendmail and apache.

Now my question is this, how does a hacker get in if ssh is restricted to certain ips? How do they use other services (apache, bind, sendmail, ftp etc etc) to get into the system and gain root access? I'm currently upgrading all services to the newest releases to prevent this happening again, is there anything else I should be doing

Thanks
choccarlmAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

liddlerCommented:
You either break in via a flaw that allows you to predict what the machine is looking for and inject your traffic in, which the server thinks is coming from somewhere else, or you use a buffer overflow, where an extra bit of code is added onto the end of some data going into abuffer, this code is then execute by the kernel, as a privilidged user, this code can then be used to run something else, such as adding a malicious user.
Other things to do, latest kernel patches, firewall, go through your startup scripts, make sure nothing is started that you don't need.
Titan is an excellent resource to help harden your machine (http://www.fish.com/titan/TITAN_documentation.html)
But definately keep all internet facing services (sendmail, bing, apache etc) patched up to date
0
mbarbosCommented:
There are many ways in which security can be compromised, many types of attacks and so on. Have a look at www.securityfocus.com and you'll see that there were problems with almost everything (and get scared ;-).

An old example is sendmail. Sendmail allowed emails to be piped to commands (this feature is used by mail lists managers like majordomo). But the default configuration till version xx (I don't remember) allowed  everybody to do that. Imagine what happends if you can run a command (maliciously) remotely on a mail server with the mail daemon rights. And on solaris user sendmail has uid 0 (which means root).

Nessus (www.nessus.org) is also a good tool to check your server security. There is also an article about nessus: http://www.securityfocus.com/infocus/1741

And to state once again what liddler said: "keep all internet facing services (sendmail, bing, apache etc) patched up to date"
0
choccarlmAuthor Commented:
Thanks,

Also I've been told to update my kernel. Whats the easiest way of doing this and where can I find kernels? Also, what is the main purpose of the linux kernel?
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

liddlerCommented:
You can get the kernel source from whover you distribution comes from i.e. www.redhat.com for RedHat or www.linux-mandrake.com for Mandrake.
The Kernel is the core of the operating system, the same as DOS or windows XP is on Microsoft machines
0
mbarbosCommented:
Depending on what you are using see
http://www.redhat.com/support/resources/howto/kernel-upgrade
http://en.tldp.org/HOWTO/Kernel-HOWTO

Also one mybe intersting page: http://www.governmentsecurity.org

What's the purpose of the kernel ? Hmm. Basically is the core of the OS

0
mbarbosCommented:
Nice liddler, you're faster :)
0
choccarlmAuthor Commented:
Thanks guys, is there anyway of splitting the points?
0
mbarbosCommented:
There should be a split button somewhere bellow the comment area...
0
choccarlmAuthor Commented:
I cant see it, I'll ask the mods.

One more quick question. I've just purchaed Mandrake 9.2 Pro Suite. It comes with sshd 3.6 which is the same version I've got the source files for. Do I uninstall the rpm that comes with the o/s and install from source or is it safe to leave the one that comes with it? This goes for all packages

Thanks
0
mbarbosCommented:
None. You install the packages as they came and after you have installed the machine, trimmed it down to what's necessary only and secured it, you use the UPGRADE feature for your distribution. This should contact a server from the vendor (or a mirror) and fetch and install the necessary packages
If you register, you'll also receive emails when an upgrade is available
0
choccarlmAuthor Commented:
I cant use the upgrade feature as the servers dont currently have an internet connection, and when they do, they wont be booting using the gui, it will be command line only. Is it safe to leave the packages that are installed?
0
mbarbosCommented:
There should be also a command line tool for upgrading.

Best would be to do the upgrade through a firewall first and than put them on net.
0
choccarlmAuthor Commented:
ok but if its the latest rpm thats been installed during install then it should be quite safe, or not?
0
mbarbosCommented:
Bad luck can always strike, but yes, you might have a chance :)
Anyway install tripwire or something similar before conecting the machine to the net.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
choccarlmAuthor Commented:
Cheers, your advice has been really helpful, thanks a lot
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.