Re: [cobalt-users] Installing SSH2, IPChains, Portsentry, Logcheck, Tripwire, Chkrootkit, Lionfind, Whois, lcap and more

["Zeffie" <cobalt-proj@xxxxxxxx>]

just crashed and lost my reply.... take two

> > I'll give you a D-   ...   See below.... :)
>
> Ouch! I haven't gotten a D- in years! (Then again I haven't been to
> school in years...)
>
> > > Get SSH2:
> > -4 (was 5)
> > you just gave your hacker a client
>
> Better than a telnet client though, yes?  Or do you mean that I let
> him know exactly what I was using, so *that* is how I gave him a
> client?
> I have to have a client to get into the machine (it's not where I'm
> at) - so that security risk is necessary.

no you have them confused.... you need the server running....  the client is
used only if you want to ssh another box from there....  if you have 3 or 4
hackers logged in and your trying to kill them you don't want them running
anything like a scp..... and if you want to ssh or scp from one box to
another you need it in at least one place....

>
> > If it works, add the SSH to the startup files:
> > -5
> > Messy way to do it... and you shouldn't count on it....
> > did you chkconfig?
>
> I don't believe so, but I did test it thoroughly before adding it to
> the startup files - including restarting the machine to make sure it
> would still let me back in.
> Do you mean that putting that line into rc.local is messy?  I'm
> looking at my other server now, and that's how you did it... *grin*

yes thats correct and I have updated the way I do that.  ssh comes with a
very nice init script now...
and thats the right way to do it....  I would of fixed yours but I was
waiting to have a conversation with you before I did...

> > > change it to something like :
> > > Port 52
> > > Protocol 2
> > -5
> > Misleading
>
> Exactly! Why have it running on the same port everyone else is running
> on?
> Btw, these are instructions that I followed from the security list; I
> didn't make 'em (I can go dig up who did though if you wanna bonk them
> over the head).

right...  the thing is though that we understand that port 52 is open and we
can use it but others might think this means the have to change it and it
might leave them sitting infront of their computer wondering why they can't
connect....


> > > Locate the start script in /etc/rc.d/rc3.d
> > > and type something like ./S55sshd restart
> > -5
> > Misleading
>
> How? You are putting 'misleading' for a lot of this stuff, but I don't
> understand what you mean. I'm a Scorpio and a brain-frazzled mother.
> Cryptic is not good. :)


you started the program in a non-standard way...
/etc/rc.d/init.d/program start
is the best way for newbies to learn

> > > To get Webalizer to run before logrotate, rename it:
> > > # mv /etc/cron.daily/webalizer.pl /etc/cron.daily/awebalizer.pl
> >
> > -15
> > Misleading
> > outdated software
> > This isn't the best solution even if it was mine....
> > (still dosent work)
>
> It works fine for me, always has. I'm not putting in the newest
> version of Webalizer until I read here in the list that most of the
> people who've tried doing it aren't reloading their systems anymore.
> It has seriously screwed up a *lot* of systems while you've been away.

yep and I just got another one to fix.... ok this was really good before
outlook crashed....

I was going to post this and this seems a good enough place

the logrotaion on the Raq4 is messed up for high traffic sites....
logrotate splits the logs and rotates the accessfile and then the sites file
so if a site makes a large "web.log" file during the it gets rotated too....
and webalizer has nothing to work with

if you
mv /etc/logrotate.d/apache /etc/logrotate.d/zapache

then the sites rotate, the logs split, apache rotates and webalizer has
data....

you need to do this in onboot too and the catch is that stats are not
gennerated for a day....
this should be done on new boxes... on old boxes you need to have a "alizer"
and "webalizer" for a day or two to save all stats

(I explained this better last time but I'm rushing)

> > > To get it to leave statistics on heavy-traffic sites, go into
> > > /etc/webalizer.conf and set Incremental to 'yes'.
> > -5
> > Misleading
>
> Again, how? It works.

this should always be set to increment reguardless of the amount of traffic
>
> > > Restarting inetd after dropping some new entries into hosts.deny:
> > > # /usr/sbin/inetd restart
> > -5
> > Misleading
>
> How?
> Is this the wrong command?

inetd stuff checks the hosts.deny every time .... you don't have to restart
it

> > >
> ftp://rpmfind.net/linux/redhat/6.2/en/os/i386/RedHat/RPMS/ipchains-1.3
> > > .9-5.i386.rpm
> > -10
> > Who made this rpm for you? (The guy in france?)
> > What files did it install.....   oh that virus one.....
>
> I use rpmfind when I can't find it anywhere else. I consider it a good
> source?
> Besides, I can't afford to pay people to make rpms for me... :)

I lost what i had here before...

umm the thing is you should never use a rpm or binary that you haven't run a
md5 chksum on... and you don't know the creator or home of the package....

>
> > > # mv ipchains-1.3* ipchains-1.3.rpm
> > > # rpm -i ipchains-1.3.rpm
> > -5
> > Misleading
>
> How?

you renamed it and you didn't have too....  rpm will actuall take care of
alot of the renameing

 > > IPChains is now installed. The startup script is in
> /etc/rc.d/init.d
> > > as ipchains
> > > or
> > > # service ipchains start
> >
> > -5
> > Incorrect startup
>
> That's the command I was given, I'll check it - it does try to start
> the program (and stops for me, but works for at least one other person
> that I know of).

sorry don't have the original handy to go bak to this one....

>
> > ipcahins
> >
> > > # make clean (my raq grumbled at me with this)
> > > # make (some notes, more grumbling)
> > Not quite sure what problem you where having
>
> That makes two of us. :)

I have another 4 to do... I'll look into it....

>
> > (portsentry)
> > > (Dunno why, but I had to get the 'portsentry' file from old
> machine
> > > via ftp and drop it in this directory for install to work)
> >
> > -15
> > no make
> > no/bad config
> > Misleading
>
> No make - you've got me there.

you didn't make the binary..... ie: in genneral
./configure
make   <<< makes the thing
make install


> No/bad config? Portsentry comes with default configurations set that
> most users won't need to change, unless they want to go to 'anal'
> mode, or switch things to send to ipchains. For the average user,
> there is no config necessary.

no they need to turn on routing, or ipchains, or whatever.   and they need
to remove port 143
at a minimun

> > > LogCheck:
> > -10
> > No Config
>
> I should put in a disclaimer that I config after making sure the
> install goes correctly, I suppose.
> Spent too much time configuring stuff that wouldn't install correctly,
> had to do it all over again - now I just let it install and then go in
> and make the changes that I want. Saves a lot of time.

oh well the logcheck.ignore and violations files need to be made into a
cobalt version or maybe teach everybody how to edit the file.... it is all
covered on the psionic site.....
>
> > > # pico /root/crontab
> > -10
> > dangerous
> > unneccessary
>
> Dangerous how?
> Unecessary how?
> If someone doesn't understand the ins and outs of crontab, this works
> just fine.
> I am one of those people. :)
> crontab -e gets me nothing but a screen of blue wiggly lines, and
> whenever I try to put in my cron command it bitches at me. (Then I
> can't get out of the damn thing.)

try :q!

oh well I am a bit partial to making a link and not another file to deal
with

>
> > well thats enough ... I have to get back to what i'm suppose to be
> doing....
>
> I'd really appreciate it if you clarified a bit more here.
> I can't fix what I'm doing wrong unless you tell me what I'm doing
> wrong... and "misleading" is rather... well... misleading.  :)  It
> makes me think I did something wrong, but I have no idea what exactly
> you're unhappy with.

yep thats how my teachers did it....
the first revision of this had some very long answers but it crashed :(

I'll try to follow this up with a call so we can get everybody up and
running fast and easy

The first copy was more funny and much better desc...

Zeffie
http://www.zeffie.com/