DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 3rd September 2010
newbsdied newbsdied is offline
Port Guard
 
Join Date: Sep 2010
Posts: 11
Default Am I being hacked?

NM. Just talked to a police officer and he said they have local police that will be able to handle that. I am going to call them first.
Reply With Quote
  #2   (View Single Post)  
Old 3rd September 2010
shep shep is offline
Real Name: Scott
Arp Constable
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,503
Default

I do not have the unix admin skill that many of the regulars on this forum do but I have tried alot Linux Variations and 3 of the main BSD's. The all have their strengths and weaknesses. There are ways to watch a flash video in a BSD but not with the convience of a browser plugin. For me choosing an OS to install boils down to 3 factors:

1)Hardware - I have a small, low powered Asus C3 Terminator that uses
the Via SATA driver. In OpenBSD it only supports 1 drive - I had a SATA hard drive and a SATA DVD drive. NetBSD only supported the chipset as RAID. It works fine in FreeBSD 7 but gives an interupt storm in FreeBSD 8
No issues with linux kernel > 2.6.26

2)What I want to do - If I want to surf the internet and watch flash videos from a browser plugin securely in my opinion your best option is linux and if you have want 64 bit processing, a linux with 32bit libs since the 64bit Flashplugin for linux has a security flaw that has not been fixed. If I want a secure home ftp server, web server OpenBSD is a good choice. The availability of software packages also plays a factor in what you want to do. FreeBSD by far and away has the most packages, the largest community and the most rapid development.

3) A somewhat hard to quantify factor is how well the BSD is working. I recently tried to set up a NetBSD xfce4 desktop on wireless. The NetBSD wiki (with the wireless instructions) went down months ago and the maintainers that set up a new wiki decided to "audit" the wiki content. They must be very busy because the new wiki is still devoid of any content and new users attemping to configure a new NetBSD install have to rely on cache'd web pages. Additionally, the binaries at the NetBSD nyftp site generate a host of errors at install and the NetBSD guide has not even updated the fact that the pkgsrc ftp site moved from California to New York although you can find it in somewhere in the mailing lists. My sense is they support too much with too few developers

So I would recommend starting with a description of your hardware and what you want to do with it.
Reply With Quote
  #3   (View Single Post)  
Old 4th September 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

It's doubtful that this is someone attacking your system, but we don't know for sure, even so, it's a common occurrence for automated attempts to happen daily.

Make sure you configure your system software properly, and use the built in firewall, pf.

Calling your local authorities was highly premature, and in the case of a successful remote exploitation, there is very little they can do if the attack is taking place from another country.

The potential exploit mentioned by shep is utilizing the shared memory functionality of Xorg to exploit the Linux kernel when X is running with elevated (root) privileges.

This new vulnerability, while partly an X bug, is currently only a concern when using the Linux kernel.. it will not have any effect on OpenBSD and this is also partly because of the security features enabled by default, an adaptation will not be easy.

It is also described as a local privilege escalation, not a remote attack vector.

@shep, it would be nice if in the future you would avoid scaring the heck out of new users.
Reply With Quote
  #4   (View Single Post)  
Old 4th September 2010
shep shep is offline
Real Name: Scott
Arp Constable
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,503
Default

Sorry, I was not trying to scare the H out of new users.
The xorg exploit would not affect an OpenBSD system but I am not sure what would happen with Linux based Opera and fedora-base in OpenBSD as the OP indicated.

I am not aware is anyone has looked at whether fedora-base, and Linux Opera are at risk but why chance it particulary when OpenBSD runs so well all by itself?
Reply With Quote
  #5   (View Single Post)  
Old 4th September 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

The vulnerability is possible because of a Linux kernel bug, they used a separate vulnerability in X to exploit the kernel vulnerability.

When you run Linux software on OpenBSD there is no Linux kernel involved, OpenBSD simply emulates the system calls and approximates their behaviour.

For example, if hypothetically you managed to run an X server compiled for Linux under an OpenBSD kernel (..which is NOT possible), the available exploit would only crash the X server and that is all.

It is possible that a program other than X could trigger this kernel vulnerability, X was just a demonstration.. as until KMS (..kernel mode setting) is widely implemented X has to run a lot of code in userland as root.

If you're going to run Linux software on OpenBSD, don't run it as root anyway, that's just asking for trouble.
Reply With Quote
  #6   (View Single Post)  
Old 3rd November 2010
newbsdied newbsdied is offline
Port Guard
 
Join Date: Sep 2010
Posts: 11
Default

I see you guys went off topic here. I know for a fact my computer is being attacked by a stalker. I don't have a degree in computers or the relevent experience like you guys. i switched to openbsd to avoid the problem and it has worked to some extent.
How do i know i am getting hacked?

Every flavor of linux/unix i try crashes. My windows crashes. It never used to happen. i have checked the hard drive for error and the memory. i have dos attacks on my router from hundreds of ips. I have had all my email accounts hacked and passwords changed. I have the strictest firewall settings on all OSs. I have 30+ charector passwords. i have a wireless router with a strict firewall running wpa2 with 30+ random keys (numbers, upper, lower case, symbols). I keep up with patches and updates on all systems. I even have sudo disabled. I have to SU to wheel user then su to root to make changes. i have someone who posts to most forums i am in with taunts like, "i am going to start attacking your contacts now." i am pretty sure i am getting stalked. Why? i don't know. I don't have confidential data or any admin access to anything useful. It's probably some loser who knows i don't know much and they decided to make themselves feel powerful by attacking me. Sociopaths are everywhere. some are serial killers others are low level hackers who now they can't mess with people like you guys, who actually know something, so they target people who don't know anything.

So can someone help me? how do i trace an attack? i have googled it to death, but nothing i can understand comes up.

This week a new problem came up without making any changes. Now when i try to increase the backlight on my laptop, the backlight turns off completely. this happens in openbsd only.
Reply With Quote
  #7   (View Single Post)  
Old 3rd November 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

You're sounding paranoid, even delusional.. instead of jumping to the conclusion of a mass conspiracy.. consider the possibility of faulty hardware, or if you're receiving a lot of unsolicited network traffic (..99% of this is automated, not targeted) then ask your ISP to assist you, or even better.. just ignore it!

You can not be physically injured by a individual or group of invidious DoSing your home IP, unless you leave some gaping whole open that we're unaware of.. there is unlikely to be anyone who has remote access to your system.

Of course, nobody here can be certain that you aren't being targeted.. but it would take a considerable amount of time, effort (..and technical know-how) to even do what you're suggesting.

It sounds like someone has scared you into believing this, FUD, take the time to do some research about these subjects.. avoid such forums and/or antagonizing people.. and abandon the web identities that may be tracked back to you, if possible.

You need to be confident, determined, and unwavering.. just keep doing the things that are important to you.

I hope that helps, but really, I'm not qualified to be counselling you.
Reply With Quote
  #8   (View Single Post)  
Old 3rd November 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by newbsdied View Post
How do i know i am getting hacked?
By searching for factual evidence, & avoiding hyperbolic traps.
  • The first thing is to look at the log files in /var/log. For starters, look at /var/log/authlog. Assuming that you aren't filtering out SSH traffic at your outermost router, you will likely see sizable attempts to log into root, or guesses to account names & passwords. This happens to most. If you don't want this traffic within your local network, determine whether your router (which I assume is some all-in-one commercial product) can filter port 22 (SSH). If your router can't, either ignore the problem or begin studying pf(4) to build your own firewall. A popular tutorial is:

    http://home.nuug.no/~peter/pf/

    Also, begin serious study of pf(4) as presented in the official FAQ:

    http://www.openbsd.org/faq/pf/index.html
  • Do you have a static IP connection to the Internet or DHCP? Are you leaving your connection open to the Internet all the time? This is a possible reason for why you are attracting script kiddies. They are simply looking for working IP addresses, & once they find one, they run their little scripts which will begin poking. If you leave access to the Internet on all the time, this gives them plenty of opportunity to look for holes.
Quote:
Every flavor of linux/unix i try crashes. My windows crashes. It never used to happen.
Okay, begin looking for common themes. Either your hardware is going bad, or you are perpetuating bad habits.
Quote:
I have the strictest firewall settings on all OSs. I have 30+ charector passwords. i have a wireless router with a strict firewall running wpa2 with 30+ random keys (numbers, upper, lower case, symbols). I keep up with patches and updates on all systems.
My suggestion would be to go to a library & begin reading introductory networking texts. Douglas Comer is a good author for starters.
Quote:
I even have sudo disabled. I have to SU to wheel user then su to root to make changes.
Personally, I believe sudo(8) is a better choice, but that is my opinion.
Quote:
So can someone help me? how do i trace an attack?
Learn networking, pf(4), & tcpdump(8).
Quote:
This week a new problem came up without making any changes. Now when i try to increase the backlight on my laptop, the backlight turns off completely. this happens in openbsd only.
Even though you are the originator of this thread, you are changing subjects. Since you have already started a similar thread on this topic, I would advise anyone responding to this thread to ignore this last unrelated subject.

Still, upon review, you have already strayed once before. Your initial inquiry was on "error 1" before digressing into concerns over being hacked. Please, stay on one subject. If you want to discuss something else, start a new thread.

Our goal to to faciliate searching as lots of people search these threads. One way to make this simple is to limit threads to a single subject.
Reply With Quote
  #9   (View Single Post)  
Old 3rd November 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Thread split from original:

http://www.daemonforums.org/showthread.php?t=5101
Reply With Quote
Old 3rd November 2010
divadgnol67 divadgnol67 is offline
Fdisk Soldier
 
Join Date: Jul 2009
Posts: 79
Default

Turn off your computer, go outside, take a deep breath. It's really not that bad out there.

Best of luck to you.
Reply With Quote
Old 3rd November 2010
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 429
Default

First off, how do you know you're being attacked (other than some jerk talking trash on the internet)? What hard evidence do you have?

The first step would be to verify what type of traffic you have running on your network. You can do this by running tcpdump in *capture* mode (-w on an OpenBSD box...requires read priv on /dev/bpf* (by default rw for root only)), then analyze the traffic later (-r on an OpenBSD box).

Once you have a baseline, you can research the traffic types and see what services are causing said traffic. You may find a nefarious program (rootkit or somesuch), but chances are good you'll find out that the traffic is legit.
Reply With Quote
Old 4th November 2010
newbsdied newbsdied is offline
Port Guard
 
Join Date: Sep 2010
Posts: 11
Default

Thanks guys. I will use tcpdump when i get home. i will read up on the pf firewall. i think i am about to switch my router to static from dhcp. The pf firewall seems harder to understand, but i will see if i can make sense of it. Thanks to all the people who responded.
Reply With Quote
Old 5th November 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

  1. You are not alone. Many people panic when computer operations do not go as expected, and assume the worst.
  2. Any publicly addressable IP address, anywhere on the planet, gets probed constantly by bad guys.
    1. Most use simplistic automation that scan for open TCP or UDP ports, and record them for later attack by specific software designed for attacking a specific service that uses that port number.
    2. Most commonly, they go after poorly maintained Windows boxes.
    3. Any service with a known hole ever it its life will be probed, to see if that service is poorly maintained.
    4. Examples of common attacks:
      1. ftp servers will be constantly probed to see if there is a userid "Administrator" because if a Windows box is running an ftp service, brute force attacks can be used against poor password selection -- such as "Administrator". Simple dictionary attacks against accounts like that are common.
      2. sshd servers will be probed for common userids: "root" and "test" and others, with similar dictionary attacks. If you run sshd(8) with password authentication disabled entirely, you will still see these constant attempts in your logs, even though no password will ever be accepted.
I use PF's state management tools for my public services just to reduce the size of my logs -- not because they'll ever get in.
Reply With Quote
Old 6th November 2010
newbsdied newbsdied is offline
Port Guard
 
Join Date: Sep 2010
Posts: 11
Default

Ok. i just an nmap. these are ports i have open:
all tcp:
13 - daytime
25 - smtp
37 - time
113 - auth
587 - submission
6000 - x11

I only use this as a workstation. Which can i close. I don't need server services. i just browse the web. Can I close all of them? Are these open by default? I am running kde and firefox.

I still have to go through tcpdump. I think i will look at the rst packets. Does that seem right?

port 13 is ntp, right? Why do i need 37?
Reply With Quote
Old 6th November 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

No, port 13 and 37 are older simple time protocols.. these are offered by the inetd(8) daemon and are enabled by default, there is no harm leaving them running.

How did you carry out this scan? if you're behind NAT these services will not be exposed publicly.. and by default, ports 25/587 (..smtp/sendmail) are bound only to localhost for logging and are not exposed over the network at all.

Port 6000 is for networked X connections, the default pf.conf blocks all non-localhost connections to this port (..actually, a range).. typically people use SSH now to do remote X as the protocol offers no encryption.

If you're receiving a lot of unsolicited traffic (..DoS) it will probably be ICMP packets, these are pretty much harmless to any modern OS, once upon a time legacy OS's had a very hard time dealing with specially crafted packets.. really though this is not a security risk anymore only a nuisance, and it happens all the time to everybody with a persistent connection to the Internet.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Kobil smartcard reader hacked J65nko News 0 4th June 2010 12:50 PM


All times are GMT. The time now is 07:55 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick