- Posts: 45
- Thank you received: 0
I need to "harden" my Fedora 1, Fast !!
19 years 9 months ago #7341
by jacko0
I need to "harden" my Fedora 1, Fast !! was created by jacko0
Hi all,
As normal i turn to u guys for help, (i hope you dont mind too much
I need to harden my linux Fedora core 1 server.
I found www.bastille-linux.org and it looks like it can do the job.
I have a text based system and so I downloaded :
Bastille-2.1.7-1.0.noarch.rpm
perl-Curses-1.06-1.rhfc1.dag.i386.rmp
Installed both and tried to run the script, but when i do i get the following error:
[root@jacko sbin]# ./bastille
WARNING: /usr/bin/perl cannot find Perl module Tk.
The above module(s) is/are required to correctly display
the Bastille User Interface. If you are unable to find a
pre-compiled module for your OS, they can be found at:
www.cpan.org/modules/01modules.index.html
If you installed the modules in another installation of
perl besides the one listed in the error message, you may
override Bastille's search path by setting the
$CORRECT_PERL_PATH environment variable to the directory
that the desired perl binary is located in.
So i checked my path
echo PATH=$PATH
PATH=/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/xn08991/bin://usr/bin/perl:/usr/bin/perl
and perl is in there, so i dont know why it wont run?
Can u help before i get hacked!
Because my php web site was offline and when i check the logs, it looks like mysql had shut down... but why???
The service called mysqld had stopped!
I am getting loads of faild attempts to log in, But have i have been hacked..
Feb 18 10:19:30 jacko sshd(pam_unix)[675]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=air244.sta
rtdedicated.com user=root
Feb 18 10:19:35 jacko sshd(pam_unix)[8064]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=air244.st
artdedicated.com user=root
Feb 18 10:19:39 jacko sshd(pam_unix)[16226]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=air244.s
tartdedicated.com user=root
Feb 18 12:20:34 jacko shutdown: shutting down for system halt
Feb 18 12:20:34 jacko init: Switching to runlevel: 0
Feb 18 12:20:35 jacko saslauthd[26560]: server_exit : master exited: 26560
Feb 18 12:20:35 jacko saslauthd: saslauthd shutdown succeeded
Feb 18 12:20:35 jacko mysqld: Stopping MySQL: succeeded
Feb 18 12:20:39 jacko httpd: httpd shutdown succeeded
Feb 18 12:20:39 jacko sshd: sshd -TERM succeeded
Feb 18 12:20:39 jacko xinetd[24258]: Exiting...
Feb 18 12:20:40 jacko xinetd: xinetd shutdown succeeded
Feb 18 12:20:41 jacko crond: crond shutdown succeeded
Feb 18 12:20:41 jacko syslog: klogd succeeded
Feb 18 12:20:41 jacko exiting on signal 15
Feb 18 12:26:09 jacko syslogd 1.4.1: restart.
Feb 18 12:26:09 jacko syslog: syslogd startup succeeded
Feb 18 12:26:09 jacko syslog: klogd succeeded
Feb 18 12:26:09 jacko sshd: succeeded
Feb 18 12:26:09 jacko xinetd: xinetd startup succeeded
Feb 18 12:26:09 jacko xinetd[26790]: xinetd Version 2.3.12 started with libwrap loadavg options compiled in.
Feb 18 12:26:09 jacko xinetd[26790]: Started working: 7 available services
Feb 18 12:26:10 jacko crond: crond startup succeeded
Feb 18 12:26:10 jacko saslauthd[26808]: detach_tty : master pid is: 26808
Feb 18 12:26:10 jacko saslauthd[26808]: ipc_init : listening on socket: /var/run/saslauthd/mux
Feb 18 12:26:10 jacko saslauthd: saslauthd startup succeeded
Feb 18 12:26:10 jacko rc: Starting webmin: succeeded
Feb 18 12:26:10 jacko init: no more processes left in this runlevel
Feb 18 12:54:28 jacko sshd(pam_unix)[29730]: check pass; user unknown
Feb 18 12:54:28 jacko sshd(pam_unix)[29730]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=62.94.10
.80
Feb 18 12:54:31 jacko sshd(pam_unix)[29736]: check pass; user unknown
Feb 18 12:54:31 jacko sshd(pam_unix)[29736]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=62.94.10
.80
Feb 18 12:54:34 jacko sshd(pam_unix)[29743]: check pass; user unknown
Feb 18 12:54:34 jacko sshd(pam_unix)[29743]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=62.94.10
.80
Feb 18 12:54:37 jacko sshd(pam_unix)[29752]: check pass; user unknown
Feb 18 12:54:37 jacko sshd(pam_unix)[29752]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=62.94.10
.80
Feb 18 12:54:40 jacko sshd(pam_unix)[29758]: check pass; user unknown
Feb 18 12:54:40 jacko sshd(pam_unix)[29758]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=62.94.10
.80
As normal i turn to u guys for help, (i hope you dont mind too much
I need to harden my linux Fedora core 1 server.
I found www.bastille-linux.org and it looks like it can do the job.
I have a text based system and so I downloaded :
Bastille-2.1.7-1.0.noarch.rpm
perl-Curses-1.06-1.rhfc1.dag.i386.rmp
Installed both and tried to run the script, but when i do i get the following error:
[root@jacko sbin]# ./bastille
WARNING: /usr/bin/perl cannot find Perl module Tk.
The above module(s) is/are required to correctly display
the Bastille User Interface. If you are unable to find a
pre-compiled module for your OS, they can be found at:
www.cpan.org/modules/01modules.index.html
If you installed the modules in another installation of
perl besides the one listed in the error message, you may
override Bastille's search path by setting the
$CORRECT_PERL_PATH environment variable to the directory
that the desired perl binary is located in.
So i checked my path
echo PATH=$PATH
PATH=/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/xn08991/bin://usr/bin/perl:/usr/bin/perl
and perl is in there, so i dont know why it wont run?
Can u help before i get hacked!
Because my php web site was offline and when i check the logs, it looks like mysql had shut down... but why???
The service called mysqld had stopped!
I am getting loads of faild attempts to log in, But have i have been hacked..
Feb 18 10:19:30 jacko sshd(pam_unix)[675]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=air244.sta
rtdedicated.com user=root
Feb 18 10:19:35 jacko sshd(pam_unix)[8064]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=air244.st
artdedicated.com user=root
Feb 18 10:19:39 jacko sshd(pam_unix)[16226]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=air244.s
tartdedicated.com user=root
Feb 18 12:20:34 jacko shutdown: shutting down for system halt
Feb 18 12:20:34 jacko init: Switching to runlevel: 0
Feb 18 12:20:35 jacko saslauthd[26560]: server_exit : master exited: 26560
Feb 18 12:20:35 jacko saslauthd: saslauthd shutdown succeeded
Feb 18 12:20:35 jacko mysqld: Stopping MySQL: succeeded
Feb 18 12:20:39 jacko httpd: httpd shutdown succeeded
Feb 18 12:20:39 jacko sshd: sshd -TERM succeeded
Feb 18 12:20:39 jacko xinetd[24258]: Exiting...
Feb 18 12:20:40 jacko xinetd: xinetd shutdown succeeded
Feb 18 12:20:41 jacko crond: crond shutdown succeeded
Feb 18 12:20:41 jacko syslog: klogd succeeded
Feb 18 12:20:41 jacko exiting on signal 15
Feb 18 12:26:09 jacko syslogd 1.4.1: restart.
Feb 18 12:26:09 jacko syslog: syslogd startup succeeded
Feb 18 12:26:09 jacko syslog: klogd succeeded
Feb 18 12:26:09 jacko sshd: succeeded
Feb 18 12:26:09 jacko xinetd: xinetd startup succeeded
Feb 18 12:26:09 jacko xinetd[26790]: xinetd Version 2.3.12 started with libwrap loadavg options compiled in.
Feb 18 12:26:09 jacko xinetd[26790]: Started working: 7 available services
Feb 18 12:26:10 jacko crond: crond startup succeeded
Feb 18 12:26:10 jacko saslauthd[26808]: detach_tty : master pid is: 26808
Feb 18 12:26:10 jacko saslauthd[26808]: ipc_init : listening on socket: /var/run/saslauthd/mux
Feb 18 12:26:10 jacko saslauthd: saslauthd startup succeeded
Feb 18 12:26:10 jacko rc: Starting webmin: succeeded
Feb 18 12:26:10 jacko init: no more processes left in this runlevel
Feb 18 12:54:28 jacko sshd(pam_unix)[29730]: check pass; user unknown
Feb 18 12:54:28 jacko sshd(pam_unix)[29730]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=62.94.10
.80
Feb 18 12:54:31 jacko sshd(pam_unix)[29736]: check pass; user unknown
Feb 18 12:54:31 jacko sshd(pam_unix)[29736]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=62.94.10
.80
Feb 18 12:54:34 jacko sshd(pam_unix)[29743]: check pass; user unknown
Feb 18 12:54:34 jacko sshd(pam_unix)[29743]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=62.94.10
.80
Feb 18 12:54:37 jacko sshd(pam_unix)[29752]: check pass; user unknown
Feb 18 12:54:37 jacko sshd(pam_unix)[29752]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=62.94.10
.80
Feb 18 12:54:40 jacko sshd(pam_unix)[29758]: check pass; user unknown
Feb 18 12:54:40 jacko sshd(pam_unix)[29758]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=62.94.10
.80
19 years 9 months ago #7343
by sahirh
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
Replied by sahirh on topic Re: I need to "harden" my Fedora 1, Fast !!
First, the easy stuff: Your Perl is in the right place... its just not got a module called TCL/TK installed, which allows a GUI to come up.. you can google for TK and install it (perl has a repository called CPAN that will allow you to install the module really easily.. should be a breeze.. otherwise rpmfind will have an rpm for it I'm sure).
Now... to the logs... hmm this is an odd one.. if someone had got in, you shoulda seen a 'success' logon event in the log.. the SSH login might just be regular scans but I can't be certain...
I would say you take your box off the network.. change all the passwords on it.. and try and lock it down.. patch it.. and then also switch to public/private key ssh authentication.... also run your SSH on a non-standard high port (something like 12465 for example)... I would also run a
netstat -anpA inet
to see the listening daemons and their process names.. check for anything strange..
Also run chkrootkit to make sure you've not had a rootkit installed.
If the system stores important data, I say you rebuild the box (owch).
Now... to the logs... hmm this is an odd one.. if someone had got in, you shoulda seen a 'success' logon event in the log.. the SSH login might just be regular scans but I can't be certain...
I would say you take your box off the network.. change all the passwords on it.. and try and lock it down.. patch it.. and then also switch to public/private key ssh authentication.... also run your SSH on a non-standard high port (something like 12465 for example)... I would also run a
netstat -anpA inet
to see the listening daemons and their process names.. check for anything strange..
Also run chkrootkit to make sure you've not had a rootkit installed.
If the system stores important data, I say you rebuild the box (owch).
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
19 years 9 months ago #7348
by jacko0
Replied by jacko0 on topic Re: I need to "harden" my Fedora 1, Fast !!
Ok, I have changed the port to a higher number, until i sort out the ssh keys.
So the Perl is in the right place, but you say i need a module called TCL/TK installed, which allows a GUI to come up.
But I only have text based access to the server (ssh) not gui. So do i still need this? Sorry for being stupid :oops:
I have run chkrootkit and it found nothing
So it may just be me getting paranoid, I noticed that i am not using a firewall. I have seen somthing called iptables should i start that?
If so I better read up on how to use it !!
So the Perl is in the right place, but you say i need a module called TCL/TK installed, which allows a GUI to come up.
But I only have text based access to the server (ssh) not gui. So do i still need this? Sorry for being stupid :oops:
I have run chkrootkit and it found nothing
So it may just be me getting paranoid, I noticed that i am not using a firewall. I have seen somthing called iptables should i start that?
If so I better read up on how to use it !!
19 years 9 months ago #7349
by MezzUp
But I could be wrong
Replied by MezzUp on topic Re: I need to "harden" my Fedora 1, Fast !!
It seems to me that Bastille is a GUI program. And therefor can't be run from the command line. www.bastille-linux.org/bastille1.jpgSo the Perl is in the right place, but you say i need a module called TCL/TK installed, which allows a GUI to come up.
But I only have text based access to the server (ssh) not gui. So do i still need this? Sorry for being stupid :oops:
But I could be wrong
19 years 9 months ago #7350
by jacko0
Replied by jacko0 on topic Re: I need to "harden" my Fedora 1, Fast !!
But when i read this chart for Fedora core 1 it seems to indicate that it will run on text only using "perl-Curses from Dag Wieers"
perl-Curses (Text/Console)
It seems to show it here
www.bastille-linux.org/perl-rpm-chart.html
perl-Curses (Text/Console)
It seems to show it here
www.bastille-linux.org/perl-rpm-chart.html
Time to create page: 0.129 seconds