Ubuntu Security :: How To Reset / Allocate IP Address
May 19, 2011
For a while now, I have been trying to reset my IP address in Ubuntu but I have had no luck. The reasons why I want to reset it and get a new one is because my service provider waits weeks to change it. I am concerned it has fallen into some unsavory hands. Also, can you be hacked if the would-be attacker is unaware of your IP address? Are there other means of locating your computer on the web without an IP address or webserver?
Im an academic (university networks and security lecturer) studying/teaching network and operating system security, and inspired by the work of Hovav Shacham set about testing ASLR on linux. Principley I did this by performing a brute force buffer overflow attack on Fedora 10 and Ubuntu 9. I did this by writting a little concurrent server daemon which accidently on purpose didnt do bounds checking.
I then wrote a client to send it a malicious string brute forcing guessed addresses which caused a return-to-libc to the function usleep with a parameter of 16m causing a delay of 16 seconds as laid out in [URL] Once I hit the delay I new I had found the function and could calculate delta_mmap allowing me to create a standard chained ret-to-libc attack. All of that works fine. However .... To complete my understanding I am trying establish where I can find the standard base address for ubuntu 9 (and other distros) for the following, taken from Shacham:-
Quote:
[code]....
/proc/uid/maps gives me some information but not the base address ldd also gives me the randomised starting address for sections in the user address space but neither gives me the base address. Intrestingly ... when a run ldd with aslr on for over (about) 100 times and checked the start point of libc I determined that the last 3 (least significant) hex digits were always 0's and the fist 4 (most significant) where between 0xB7D7 and 0xB7F9. To me this indicated that bits 22-31 were fixed and bits 12-21 were randomized with bits 11-0 fixed. Although even that doesnt define the boundaries observed correctly.
Note: I am replicating the attack to provide signatures to detect it using IDS, and for teaching purposes. I am NOT a hacker and if needed to could reply from my .ac.uk email address as verification.
I was curious if anyone has addressed this issue before. I have set the permissions to /var/log/Xorg.0.log as follows:
Code: -rw-r----- 1 root root 00000 Jan 00 00:00 /var/log/Xorg.0.log I have done a lsof and the file is being opened by root. I have set Roots umask to 0077, yet after a reboot
Being able to reset the root password by booting into single usermode by editing grub. This is a MAJOR flaw. I know it makes no real difference against internet bourne attacks, but even so I must say I found it shocking. The only way I've found to stop this is to encrypt the entire HDD, so noone could get into single user mode without first knowing the encryption key/password.
I'm unable to reset using either the reset option in gnome shell or the command using a terminal. When I select it the shell exits and displays the graphic "exploding" and then it just sits there. Shutdown works fine; just no reset. Any ideas? I've installed from the DVD. I booted the live CD and it resets just fine so I know it's no my hardware
I wouldn't call myself paranoid, but I do try to keep reasonably secure on my home network (WPA encryption, router firewall, etc.). I also occasionally use nmap to make sure I don't see any unknown computers logged into my network. The problem is I have five computers that all use DHCP on the network and they are not all up all of the time. At most, there are two to three online at any one time.
So, my question is: Do any of the IP addresses remain in the router's database for a computer that has gone offline (shutdown)?
The reason for my question is that today I ran nmap on my home network and noted an IP address that was not currently up on the network. It is, however, an address that is frequently assigned to one of the computers when it is online, but that address was not up at the time I ran nmap. Just trying to make sure my network is not being used by some nearby computer.
I'm behind a modem router with firewall and SElinux enabled by default - but checking my mail this morning I noticed several ' delivery failures ' ( allegedly ) from hotmail referring to mail I hadn't sent. When I checked the spam folder for the on-line side of my mail account there were more failure notices. Two points that may be relevant, one is the recent Hotmail exploit, the other is that this only occurred with the address I use for railway matters, and some people cc to everybody, so it's odds on that address is on a good few computers. On one occassion when I checked my spam folder on-line I found spam which claimed to be from myself, so I know the ' send ' address can be spoofed, is this the explanation, or is it a new kind of attack linked to the Hotmail exploit?
I want to ask about securing the FTP connection... I have one server that Installed with Redhat Linux Fedora 6.
And now, i want to securing the FTP access, so only the selected IP will be allowed to connect. Do anyone know how to do this?
Another thing is, my server using Webmin 1.3 to manage the server and there not installed / not configured yet with Frox FTP, ProFTPD Server, WU-FTP Server... even there is such thing in my Webmin...
Can i make use one of the three FTP i mention above, and if yes, will it be affecting the current FTP access?
I'm assuming that the following should block the complete 178.123.xxx.xxx address range.
Code: iptables -I INPUT -s 178.123.0.0/24 -j DROP Then I believe that I need to save this change.
Code: service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
However, I'm not so sure that it is actually working based on the fact that there continues to be access to my wiki from that address range. The following is after I made the firewall change.
Quote:
178.123.177.61 - - [31/Dec/2010:04:24:40 -0500] "GET /mywiki/Opera%20Web%20Browser?action=edit&editor=text HTTP/1.1" 200 6346 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)" code....
Let me state that I'm new at this iptables thing. I did some reading and decided that I need to make the above change to the firewall but it doesn't seem to make a difference.
I recently set up a web server at home, using a non-standard port, due to my ISP blocking 80. I just checked my log files, and I see a TON of entries indicating that a file was not found "proxy-1.php", "proxyheader.php", etc. I do not have these files, not intend to have them as part of my website. I did a whois looking by IP address for several of these, and they all seem to come from an ISP in China. Is there a way to BLOCK any IP address outside the US (that is somewhat simple to do?)
I am setting up a iptables firewall on one of our servers, and I would like to block a range of addresses from getting into the system. I am using a script that does a BLACKIN and BLACKOUT methodology for specific addresses. One example is the following:
Code:
$IPTABLES -A BLACKIN -s 202.109.114.147 -j DROP ... $IPTABLES -A BLACKOUT -d 202.109.114.117 -j DROP
What would be the correct syntax to use if I wanted to block an entire remote subnet from getting into the server?
I've pruned your post from where you originally posted. In the future, please check the dates on threads which you're thinking about posting in. If you see they are dead (inactive for a few months or more) just let them rest in peace and start your own thread. You can always include links to reference the dead thread if you need to, as I've done here.
I always use professional services to secure my servers. Everything was fine for years but a week ago my server got hacked.I don't know how the hacker got my username/password - it was not something like admin, password.9 months ago my PC was infected with some virus which connected to the FTP server by using password which was saved in CuteFTP and infected all index files with some javascript. Then I changed the user/FTP password and didn't save it anymore in Cute FTP. Of course, I checked all the folders and re-uploaded all infected files. Is it possible that this virus uploaded some hidden file which was able to get the new password for this account?
The server was hacked from so called Tor IP address. I am tiref of worrying about server security and now have an idea to get a static IP address from my ISP and to allow logins only from this IP address. What do you think about it? This idea looks good for me but are there any risks to lose access to the server. Can ISP provider change the static IP address for some reason?
Is it possible to restrict root logons to the SSH server to just a single ip address (or maybe a range?) I have other users connecting to the server daily so restricting ALL access to a single ip i cannot do. I need root enabled (for my own reasons) but want to lock it down a bit more.