[CentOS] server is always getting hacked

Thu Jul 2 16:54:33 UTC 2009
Gary Greene <ggreene at minervanetworks.com>

On 7/1/09 8:29 PM, "Michael A. Peters" <mpeters at mac.com> wrote:
> Robert Heller wrote:
>> At Wed, 01 Jul 2009 16:08:08 -0600 CentOS mailing list <centos at centos.org>
>> wrote:
>> 
>>> On Wed, 01 Jul 2009 15:05:58 -0700
>>> Gary Greene wrote:
>>> 
>>>> . With sudo,
>>>> you get a record of what command was executed with superuser rights by whom
>>>> at whenever given hour.
>>> sudo bash
>> 
>> Which in turn is logged.  Such a log entry might raise a red flag.
>> 
>> 
> 
> Speaking of logged - I don't do this but Dad set up his systems
> (solaris) to immediately boot the user and send an alert to the operator
> if the root user issued the id command and had not become root from a
> member of the wheel group.
> 
> He was a university admin, they had to have telnet open because of grad
> students doing research in countries that did not allow secure
> connections. Most of the time, that single action got the hacker off
> before any damage was done. Those were primarily Solaris systems he
> dealt with.
> 
> They also had a log server that everything was logged to (off the
> network, fed I think by serial cable if I recall but it may have been
> cat 5 - sun had funny looking serial ports that took a cat 5 jacks to
> me), as local logs are easily modified once you have a root shell.
> 
> But I don't personally deal with any systems that big and complex.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

The way I was taught to do log servers was to set up UDP based logging and
then just turn the NIC on the log bastian to promiscuous mode and run no
remote login applications on it, basically turning it into a black hole,
where logs go in, but you can't contact the system directly.

-- 
Gary L. Greene, Jr.
IT Operations
Minerva Networks, Inc.
Cell:  (650) 704-6633
Phone: (408) 240-1239