Hii

A few days back i think some body tried to hack my linux box running red hat 9.So the best thing i did on spot was to shut it down before any more damages could occur.I use a linux box while rest of my office uses win xp behind it.

Now i've a few questions.

1) What's port 10000
2) How to secure my linux box in the best possible way.
3) If i do get hack how to trace the culprit...

Please guide me in the best possible way.
I use my linux box as an internet sharing pc as well as a local web server which my employees use for local development when working with php..this server's got everything configured on it and i use RAID on it as well so that all my office work is backup on this server.

Thanks

fhameed

ndmp 10000/tcp Network Data Management Protocol
ndmp 10000/udp Network Data Management Protocol

A few days back i think some body tried to hack my linux box running red hat 9.
What leads you to think that? Please post any relevent log entries that you have available (after scrubbing any identifiable IP addresses) and include as many specifics as possible.

2) How to secure my linux box in the best possible way.
That's a really vague question, but there are alot of ways to secure it. Things like using a firewall, turning off any un-needed services and keeping up with the security patches for you distro are critical in keeping your box from being an easy target. Running some form of intrusion detection system (IDS), a file integrity scanner, and running chkrootkit frequently can tip you off if your box has been compromised. The security references thread towards the top of the forum has a much more comprehensive list of links on securing your box. It's an essential read for anyone looking to harden their box.(http://www.linuxquestions.org/questi...threadid=45261)

3) If i do get hack how to trace the culprit...
Hard to say, but usually the best place to starting looking for evidence will be in your logs. Keep your eyes open for any kind of suspicious entries (or lack of entries). Things like strange logins or weird application errors. Check /etc/passwd for new users or any user beside root that has a UID of 0.

all my office work is backup on this server.
Be very careful in using these backups. If the server has been compromised, you should consider the backups compromised as well untill you can visual check that they are clean. Using the backups could potential spread damage further, so be sure that they're alright first.

From what you've posted, all that can be said is that somehow you found that port 10000 was open. That in of itself may mean absolutely nothing at all. So before you panic, please post any relevent info that has led you to believe you were compromised. Also be sure to: verify the /etc/passwd file, check your logs for anomalies, and download then run chkrootkit (www.chkrootkit.org) at let us know the results.

Webmin uses port 10000.

If you have it and apache installed, you can run it through your web browser at https://localhost:10000.
Of course someone else could run it if your web server is available to the internet, and they knew or guessed your root password.

This wouldn't make me feel very comfortable. Your using the system that is most likely to get hacked as the backup server.

Being secure in Linux is EASY> actually fun > set the firewall security to HIGH ok? NOTHING more is necessary The only other precaution I use is running the Mac on-line, but with a High firewall in Linux -there's no difference

I don't want to be jerk here, but not only is that entirely wrong, but it's also really irresponsible to lead people into a false sense of security that just because you have a firewall set to "high" that they are completely safe and don't have to worry about anything else. Contrary to popular belief, a firewall is not the all-encompassing security solution that people make it out to be. It is an integral part of good linux security, but not the only part. Keeping up on security patches are essential. Turning off un-needed services is another. Installing some form of intrusion detection is as well.

Unless you don't use any network services (like surfing the web), then your linux box will have to interact and accept data from other systems which may or may not be malicious. Your firewall will not protect you if for example you happen to surf to a malicious webpage that was designed to exploit mozilla. There are dozens of other scenarios like that where it would be naive to assume your firewall would protect you.

Security is more than turning on simply turning on a firewall or running an antivirus program. People who believe statements like the above one have a very false sense of security. Good security requires diligence and attention to detail.

If you offer anything like ssh, pts/x will be used. If you want to keep a log that they can't edit run a "cat /dev/pts/# | tee -a /root/pts0log". It works for me if I let a friend on my box and want to "spy" on them. Also, disable csh, zsh, and other more seldom used shells in /etc/shells (or, for the paranoid, delete them), as csh and other don't leave a log in their home directory. (If I remember correctly, that is.)

Well maybe I jumped a bit but so far my firewall experience in doz and on Mac has been unbelievable. I used to have huge problems with port scanners and packet "attacks" in IRC. ALL of it was stopped solidly by my first firewall. NOT one time was any attempt on my old doz system successful. Am I to now know that the Linux native firewall isn't reliable. That's not what was printed in the manual.

I should I suppose have mentioned that I automatically include browser choice in my own security. IE in doz is so vulnerable it's beyond acceptable. I don't use Mozilla.

iptables works just fine. I was commenting on relying solely on a firewall. Relying only on a firewall on any platform gives you a false sense of security.

Choice of browser is really irrelevant to what we're talking about. Pretty much every major browser that I'm aware of has a security history of some sort (Safari included). The point is that any time you connect to another system and transfer data of any kind (whether web browsing, DNS/DHCP networking, reading an email) your computer is accepting data from another system. Your firewall has no way of knowing what a good web page looks like versus a malicious one, It just knows that you initiated the connection and that incoming data is part of a established connection and therefore is OK. These types of attacks in general completely bypass the firewall, plus we haven't even brought up the topic of social engineering.

So under your security model once the firewall fails (or is bypassed), you are screwed. Since you don't have any of the default services turned off (don't need to, firewall's on) there are plenty of things to attack. Since you didn't install any patches (don't need 'em, got the firewall on right?) then you have vulnerable services running which offer an entry point. And since you don't have a file scanner, then you probably won't even notice the new rootkit that's been installed.

The point is that relying on any one security feature by itself is foolish (whether that's a firewall, IDS, turning off services, etc). That single point of failure is all that is needed to open you up to compromise.

And as far as firewall reliability, yes iptables/netfilter is fairly reliable in doing what it's meant to do, which is not to be the ultimate security solution (if you look in the manual, it doesn't say that either). The only others that I think are arguably better would be the BSD firewalls (which includes Darwins version of ipfw). I'm not an expert in Windows firewalls, but in my opinion any GUI-only firewall isn't going to be as configurable and therefore doesn't offer the flexibility needed.

Well I was a bit unclear and non specific when I suggested the use of a firewall... I suppose I sort of guessed that the other more important precautions were already in place.
Since you don't have any of the default services turned off (don't need to, firewall's on)
OF COURSE I DO. All sharing is turned off. EVERYTHING. And my God --if I was open enough for an entire root kit to insert anywhere! Geeez -- setting permissions FIRST please. I never meant to sound like I rely on a firewall or that anyone else should. I just thought that what I saw in the first post looked a little too obvious to be able to to occur with a firewall on. In doz, the only firewall I ever used was Zone Labs Zonealarm. It was simply fantastic! Even logged any attempts to gain access and the apparent relevant IPs (meaningless of course).

for fhameed:
The simplest way to disallow some connections to your Red Hat box is to enable the firewall. The firewall is a helpful tool BUT IT IS BY NO MEANS a certain and absolute defense! To do this, log in as "root" and at the command line type the command "lokkit" But please be sure your NEVER on-line as Root!!!! remember to set fairly low permissions to the user name the goes on-line. Make sure ALL file sharing are turned off except of course those that you want. Any Internet connection results in data exchange between your box and ANYTHING you are reading - web site or e-mail. Of all the allowed connections and exchanges the firewall has NO WAY to magically know if malicious data is sneaked in! This command is for Red Hat. I didn't see your distro. And for the record, I like I hope we all, DO know that any Internet interaction I do has been allowed past my firewall! I mean, who could possibly NOT know such a basic, simple fact?