LINUX SECURITY --- July 11, 2000
Published by ITworld.com, the IT problem-solving network
http://www.itworld.com/newsletters
*********************************************************************
HIGHLIGHTS
* Do hackers make the best System Administrators?
*********************************************************************
Fighting Back
by Rick Johnson
Ok, a malicious hacker has just attacked you, what do you do? You could
contact their network administrator, upstream provider or even the
police. On some occasions, you'll even consider hacking back. Regardless
of the method, one thing is clear: you want revenge. The concept of
revenge is as old as time itself. Some may call it justice, but I don't
turn someone in to the authorities because it is the right thing to do.
I do it for the feeling of satisfaction received from beating them at
their own game.
Before you can go after them, you'll need to gather as much information
as possible. The first thing I check is who owns the address space the
attack came from. This is done with the following command:
[user@testbox ~]$ whois 1.2.3.4@whois.arin.net
This will usually yield a phone number or email address to use as a
starting point. Next, you will have to decide whether to involve the
authorities or only the provider. From the very beginning, be sure to
save copies of all log files as well as accurate records of attempted
contacts and responses.
No matter how hard you try to resist, eventually one day you will be
tempted to try hacking back at the attacker. Most attempts these days
originate from an unprotected Linux box. Hacking back against Linux has
become so easy these days, it is sad. Between all the recent remote root
exploits with software like WU-FTPD and BIND, it's tough to choose just
how you would want to fight back. The unfortunate part is, if the box
attacking you is vulnerable, most likely it was already hacked by
someone else and that's who attacked you. It's more effective to contact
the owner, rather than reduce yourself to that level. Besides, in most
cases it's also illegal.
The difference between a good Security Admin and a hacker is simply a
matter of their motivations. To be the good guy, you have to know where
to draw the line. The knowledge needed is basically the same. In my
mind, if you don't have the skill to be a hacker, how in the world do
you expect to protect against one?
Resources
Hack back?
Network executives have mixed feelings about whether to retaliate
against an attack.
http://www2.itworld.com/cma/ett_content_article/0,2849,1_896,00.html
A hacker's final exam: federal systems
http://www.sunworld.com/sunworldonline/swol-03-2000/swol-03-hacker.html
Locking doors, latching windows
Keep those pesky script-kiddies out of your system
http://www.linuxworld.com/linuxworld/lw-1999-12/lw-12-vcontrol_1.html
************************************************************************
About the author
----------------
Rick Johnson is currently the Manager of Security Services for an
emerging Managed Service Provider. When not writing, he heads the
development team for PMFirewall, an Ipchains Firewall and Masquerading
Configuration Utility for Linux. Rick can be contacted via email at
rick@pointman.org or on the web at http://www.pointman.org.
*********************************************************************
<<attachment: winmail.dat>>