Gustin, I'm just jerking your chain :) > the default on Ubuntu is to not enable root logins btw
I understand that. However, the service that I used for this box does the remote builds with root account enabled. The owner of the build is then obligated to login after build, create user accounts and disable root ssh access. I just left that way. > I have both Windows and Linux machines with services that are naked to the Internet > Also, Ubuntu 8.04 is really equivalent to Windows Vista on the Desktop Well, are you or anyone else out there, be not only willing to provide services but give the world a freakin' login to your Windows box? How long to you think a standard Vista or Win 7 machine would last if you did that? While someone was creative enough to fill up the hard drive on the 8.04 server I set up, the box is still running, apache is still serving and no one has yet to PWN the box. There is some crazy cat process melting a whole in the CPU right now but it just keeps serving ... sort of :) Does anyone out there want me to install a C compiler on this box to make your PWNing efforts easier? Oh, and Gustin, I know you're not a Windows lover, Dafydd vouched for ya :) Anyway, if some does PWN this box, it would be valuable to the rest of us to know how you did it. I am willing to install pretty much anything anyone wants to make this box more vulnerable. Ciao, Greg On 5 May 2010 12:13, <gus...@echostar.ca> wrote: > Nice and mature, thanks for making my point for me. > > I won't bother logging in, since the Internet will take care of this for > me. Install some crappy php based web software, apache, and disable php > safe mode (which is usually required by said crappy php code), and start a > timer. You should only need a few seconds to get a worm. > > As I said it really comes down to configuration. I have both Windows and > Linux machines with services that are naked to the Internet. It almost > always comes down to configuration these days. > > Also, Ubuntu 8.04 is really equivalent to Windows Vista on the Desktop, > both of which are still getting security updates (8.04 is my goto release > for servers until the next LTS stabalizes). Other than the root login via > ssh, what you have deployed is reasonably safe (the default on Ubuntu is to > not enable root logins btw). If you want to be ballsy, do the same thing > with Debian sarge or woody. The first time I was hacked was when I was > running Red Hat 5.2, I am sure it is still vunerable. > > I am a little curious about the windows lover moniker you have given to me. > I am nothing of the sort. You did provide some laughter at one of my > clients today (a mixed environment btw) where my nickname is "Windows > poison". Thanks for that. > > Now back to work. Today I get to integrate Apache with Active Directory > for a single sign on thingy, of course to make it interesting Apache is > running on Linux. Should be a fun afternoon messing with Kerberos, Samba, > and Apache. > > > On Wed, 5 May 2010, Greg Saunders wrote: > > Date: Wed, 5 May 2010 10:33:03 -0600 >> From: Greg Saunders <g...@taord.com> >> Reply-To: CLUG General <clug-talk@clug.ca> >> To: CLUG General <clug-talk@clug.ca> >> Subject: Re: [clug-talk] Bashing Windows out of ignorance >> >> >> Here ya go CLUG. For fun, I've setup a base build of Ubuntu 8.04. I >> purposely chose an old release and haven't applied any security updates. >> >> I've done a standard apache, php, mysql install. I've also installed >> webmin. >> I've done absolutely nothing to harden this box. I haven't even disabled >> ssh >> root logins. There are no iptables rules, nothing. The box is wide open >> ... >> ass hanin' in the wind so to speak. >> >> pwn me! pwn me! pwn me! >> >> The IP address is: 173.45.247.24 >> The hostname: gustin.taord.com >> >> Aside from the root account, there are two additional user accounts setup: >> >> user: clug >> password: linuxluver >> >> user: gustin >> wind0zeluv3r >> (that's a zero in there) >> >> If you want any additional software installed on here to make it more >> unstable ... let me know. >> >> Please don't change the password for the "clug" user ... I want anyone who >> wants to, to be able to get on the box. >> >> Gustin --> if you want to log in and change the password for the "gustin" >> user account, please feel free :) >> >> The point of all of this is: I hope someone will pwn this box and tell the >> rest of us how you did it. It would be a real eduction ... I mean that. >> >> There is a file in the root home folder: >> >> r...@gustin:~# ls -l >> total 4 >> -rw------- 1 root root 29 May 5 16:20 pwnme.txt >> r...@gustin:~# >> >> Post the contents of that file to this thread and you've >> obviously acquired root privileges. >> >> I'm not a Windows hater ... I simply don't waste my time with it. I also >> seriously doubt any sane Windows admin wouldn't do what I've just done >> here >> ... the sun wouldn't set before someone baked the Windows machine at 450 >> degrees for half and hour. >> >> Now I have real work to do ... gotta keep the lights on :) >> >> Ciao, >> Greg >> >> >> >> On 4 May 2010 22:36, Gustin Johnson <gus...@echostar.ca> wrote: >> >> On 10-05-04 06:39 PM, Greg Saunders wrote: >>> >>>> I'm starting a new thread because I didn't want to hijack TekBudda's >>>> original thread re: Query: Mac & Windows Diagnostics Tools. >>>> >>>> Uh, there is a lot of preventative measures that one can take with >>>>> >>>> Windows >>> >>>> >>>> True: >>>> >>>> 1. run the windoze machine stand alone ... do not connect it to the >>>> >>> internet >>> >>>> or >>>> >>> >>> Same goes for a Linux machine. Anything directly connected to the >>> internet requires management. One mistake is all it takes, regardless >>> of the platform. >>> >>> 2. install zero software on it ... keep to Notepad, Write and >>>> Minesweeper for entertainment, oh yea, don't connect it to the internet >>>> or >>>> >>> >>> This is good advice for Linux too. Install only what you need. >>> >>> 3. format c: ... install Linux >>>> >>> >>> Linux can be easily pwned. Just like nearly everyone else these days, >>> it all depends on how you configure it. >>> >>>> >>>> I am tired of the FUD thrown over the fence by the FLOSS people >>>>> >>>> >>>> We're the same people that insist that the sun rises in the East every >>>> morning. We call a spade a spade. >>>> >>> >>> That is all nice to say, but stop living in 2001. XP is not reflective >>> of the current state of things. I don't care if you like Windows or >>> not. In fact I don't like using it, but we should not be throwing FUD >>> around. >>> >>>> >>>> Bashing Windows out of ignorance does not get us anywhere and just >>>>> >>>> makes us look childish. >>>> >>>> Some of us actually bash Windoze because of first hand experience. My >>>> most recent experience (still ongoing) with a client was/is their IT >>>> staff trying to get a new Win 7 machine setup with x64 print drivers >>>> that actually work ... not to mention that there was no way in hell that >>>> they could get another Win 7 machine working with the KVM switch a >>>> certain user was using for flipping between a few desktops in their >>>> office. It goes on and on and on. >>>> >>> >>> I have a lot of the same problems with Desktop Linux. I have 4 printers >>> at home, only the oldest one currently works with Linux. Day in and day >>> out I manage hundreds of machines running a variety of operating systems >>> (Windows and Linux make up the two largest groups). They both have >>> their strengths and weaknesses, but the security footprint differences >>> are far smaller than most people realize. >>> >>>> >>>> Or (just a couple of months ago) at another client, where a half dozen >>>> Windoze guys were onsite from a prominent IT services company here in >>>> Calgary trying to stop some worm that was propagating through the >>>> network ... the best they could do was unplug network cables and deal >>>> with each desktop individually. >>>> >>> >>> That is pretty much how you should be dealing with a worm infection >>> (assuming that you do not have an IPS that switches infected machines to >>> a different VLAN). It sounds like this guy does not actually know how >>> to respond to security incidents. To be fair, most so-called IT people >>> really know very little about security or proper incident response. >>> >>> We can swap anecdotal stories all night and not get anywhere. >>> >>>> >>>> Oddly, all these guys were in my age bracket (35ish, 40ish) but I was >>>> the only one who had any hair left. No word of a lie. And I can tell you >>>> I did not make any friends with these "make work b*st*rds" when I >>>> pointed that out: >>>> >>>> I still have hair at 34, what is the point? >>> >>> "Hi guys, I guess Linux = hair", that did not go over well. I thought it >>>> was funny at the time ... couldn't contain myself :) >>>> >>>> Yea, I got the same "You FLOSS zealot b*st*rd" thrown at me that Gustin >>>> tossed out earlier ... but ... whatever. >>>> >>> >>> Actually I never did say that. >>> >>>> >>>> Look, I understand that Windows is a reality (in North America anyway). >>>> Keep the install base small ... sure ... makes wipe and reloads easier >>>> ... images smaller. >>>> >>>> Windows is a make work project, plain and simple. Any advocate for such >>>> substandard technology either punches a clock for a living or hasn't >>>> figured out (or doesn't want to figure out) how to survive in the >>>> OSS/FLOSS world. >>>> >>> >>> My experiences are different. >>> >>>> >>>> Greg's "windows preventative measure" is "don't waste your time". >>>> >>> >>> No, that is FUD plain and simple. >>> >>>> >>>> That's not being "childish" ... it's how I've kept my sanity and >>>> supported a wife and four kids for the last 10 years. Stick that in your >>>> "there is a lot of preventative measures that one can take with Windows" >>>> pipe and smoke it. >>>> >>>> >>> Hey ... this might come across a little harsh (zealotish), oh well, >>>> smile, I am. >>>> >>>> I am a FLOSS advocate and user. In fact I reach for FLOSS solutions >>> first if that is an option. This is one of the rare times that I am on >>> this side of the fence for this argument. I have to say it feels a >>> little weird. >>> >>> >>> _______________________________________________ >>> clug-talk mailing list >>> clug-talk@clug.ca >>> http://clug.ca/mailman/listinfo/clug-talk_clug.ca >>> Mailing List Guidelines (http://clug.ca/ml_guidelines.php) >>> **Please remove these lines when replying >>> >>> >> > _______________________________________________ > clug-talk mailing list > clug-talk@clug.ca > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > **Please remove these lines when replying >
_______________________________________________ clug-talk mailing list clug-talk@clug.ca http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
