A blast from the past to seed the story database. This article was first published on our old web site on Nov 26, 2000. Today it's still as funny and as illuminating as ever.
One day on my internal-network workstation I was playing with a GUI front end I found for the nmap port scanner. So I point the program at the server and tell it to scan it. I see the usual ports but -- hey, what's this? I've got two NetBus ports open at 12345 and 12346, and I've also got an Elite port open at 31337. That shouldn't be! Good God, I've been cracked!
I immediately unplug the server from the net and start to think about how I'm going to tackle this. I first decide that I don't want to risk anything, and that I'd rather take a hammer approach to security than to sort through this server file by file. I want to minimize my downtime because as I sit here unplugged from the net, who knows what's happening to my mail.
My file system is broken down into several partitions including /, /usr, /var, /tmp, /home, and /home/ftp/pub. I decide I'm going to solve my initial security problems by zapping partitions. A full reinstall from known clean sources is the only real way to know you fully eliminated a cracker's threat. So I'm going to fsck partitions and be done with them (and any potentially bad programs they may contain). This means that any potentially modified executables and/or security holes will be wiped out by a full reinstall of the operating system.
Oh my God, that's a lot of work! I've customized Apache and have tweaked dozens of files and programs. But will I ever be confident of ridding myself of this cracker unless I do bit the bullet and do a full reinstall?
I decide that I'm not going to wipe out the /home and /home/ftp/pub subdirectories. But this makes me nervous. Who knows, the cracker(s) could have installed SUID binaries somewhere on those partitions or could have done who knows what else. I figure that shouldn't be much of a security risk -- I have very, very few executable files under /home and so I calculate that with a good, thorough job of checking for oddities in that subdirectory tree I can feel confident with the files that live there.
Before wiping things out I decide to copy a few configuration files from /etc into a subdirectory on the /home drive -- full backups are useless to me because who knows if the backup tapes are contaminated or not. I grab a few selective files: fstab, exim.conf, lilo.conf, smb.conf, etc., and check each file closely for oddities after copying them -- okay, they're only text files but I feel it's a case of "better safe than sorry."
Which brings me to my next point: I'm an idiot!
I know something about security -- not a lot, but something -- and thinking back on my treatment of this server I broke many rules. First of all, it's a firewall/server box. It should have as little as possible installed on it. I broke that rule in a major way.
Debian GNU/Linux makes it almost too easy to install packages into a system. So I wound up playing with all sorts of stuff. I'd see an interesting package in the Debian distribution (and with about 5000 packages, believe me, there is plenty that's interesting!) and I'd install it. Stupid of me to do on a firewall box. Even worse, I'd forget to uninstall packages! There were probably more security holes through just the web server than I care to imagine.
I also got lazy -- pathetically lazy. I wasn't in a habit of checking my logs, nor of doing regular port scans and checks of the firewall box. My firewall script was written, modified at a whim, and not gone over throughly enough. I made many errors in my basic conceptual approach to security. Again, stupid of me.
So, back to the story... Now I have the box unplugged from the net and a few basic config files ready to go. I've made a mental determination that this box is going to be far cleaner than my past one.
For example, I decide to do away with X. While X not really a security hole, I decide that getting rid of X will in itself help me to keep the "software clutter" on the machine down.
I also decide: I'll install the kernel sources long enough to compile a custom kernel and then I'll purge the C compiler and all development utilities. I decide that I'll thoroughly check my firewall script. I make an oath to myself that I'll only install as little software as possible on the firewall server. Yes, this still isn't a perfect scenario -- in a perfect world I'd have no services running on the firewall box but hey, this is a home toy server. I calculate that by sticking to my new approach I'll be far, far more secure.
Of course, I've got plenty of time to think about this, because by now I'm rebooting off from a newly created floppy and am reinstalling GNU/Linux.
Through the reinstall I fsck my partitions and mount them back into place. With a Debian install, this means smacking ENTER a lot. That's good, I deserve some punishment for being so stupid. In a short time I'm back up and ready to go back online.
Debian GNU/Linux makes fairly good security choices about its installation -- that's one of the things I like about Debian. But even though I selected the absolute minimum install of Debian but I see that it still wound up giving me far more than I want or need. No problem, a few minutes in "dselect" and one can do wonders about excess packages.
After a golden opportunity to rethink the way I want to do security, I wind up with a system that's back up and running somewhat similarly to the way it was. I'm also humbled at what could have happened. I'm reminded that I know pathetically little about GNU/Linux, IP, and security. Who knows what some cracker was using my system for? Will I get a knock on my door tomorrow with a complaint that I was trying to break into some bank in Europe? I certainly hope I don't get that knock, but it's quite possible...
Comfortable with my new clean system I discovered something else about myself: Not only am I an idiot, I'm a moron.
Yes, I'm a complete, bloody moron. I'm so much of a moron I have to shout to all the other morons on the planet: "You may a moron, but I am your king!" Yes, I am the King of Morons!
After my new machine is up and running, I, of course, am checking it religiously with nmap scans and any other security tool I can figure out how to make work. During this process I am also perusing the huge list of Debian packages, and occassionally -- keeping in mind my new attitude towards not installing junk -- installing security related packages.
This is when I make my discovery. I never was cracked! No one ever got into my system. I did a complete reinstall of a working system for absolutely nothing!
You see, one of the security packages which I installed opened up several ports, such as the NetBUS and Elite ports I mentioned. This package would then log various attempts to those ports to inform the SysAdmin who was attempting to use those ports.
Me, being the "King of Morons", did not bother to check exactly what this package did. As I said, I was routinely in the habit of installing software "to play with" and time constraints usually kept me from actually playing with that software. So I had installed a package which opened these ports up and did not know it.
I freaked out seeing these open ports, ports which were opened by a package that I ignorantly installed! Yes, I am the King of Morons!
So what's the moral of this story?
First, adopt good security policies. They aren't a cure-all but at least they'll increase the odds that you can avoid that sick feeling in your stomach as you waste a Saturday reinstalling your system.
Second, pay attention to the software you use and install. Just because apt makes it so easy to install software, don't install it for the heck of it. Everyone knows about the learning curve of Linux/Unix -- it's a bitch. But hey, you have to pay the piper -- read up on the ChangeLogs and READMEs of the software you install or don't bother to install it.
And most importantly remember this: For those of you out there that are feeble-minded, I AM YOUR KING!