(Should Have) Done It Myself

...or... A brief tutorial on Linux security

The events depected below all happened, but not in the order listed. The first verse should be third; I briefly locked myself out of the computer by deleting /bin/... -- but the verses don't work out well in that order. Such is life.

Lyrics by Rich Brown
Thanks to Mark A. Mandel for suggesting the title
To the tune: "Do it yourself" (Bill Sutton's arrangement of "Macnamara's Band")

I went to my computer and it wouldn't let me in.
"There's something going on here, tell me, when did this begin?"
I popped a floppy in the slot and booted up again.
And scanned my hard disk horified at all the things therein:

I had a root kit and cracker tools and trojans without end.
The system tools all lied to me, their secrets to defend.
I'm sadder but I'm wiser; now I know beyond a doubt,
I've got to get a firewall to keep the crackers out.

A friend then called me on the phone, said, "I don't mean to whine,
Your system's saying mine is 'dumb' and won't let me run pine."
That may have been by accident, it may have been design.
A cracker may be many things, but none of them benign.

I found a file named dot dot dot a-lurking there in bin.
I found two users, tek and own, that I had not put in.
And own's a superuser, so I found to my chagrin,
That I was not the one in charge -- I had an evil twin.

I had a root kit and cracker tools and trojans without end.
The system tools all lied to me, their secrets to defend.
I'm sadder but I'm wiser; now I know beyond a doubt,
I've got to get a firewall to keep the crackers out.

A Californian admin sent these warning words to me,
"I found some probing packets that trace back to your IP.
I bet you're running Red Hat; won't you look in /var/named,
and if my hunch is right you'll find a new directory."

I asked for help and I was told, "You know what you must do;
You'll find it's bind that had the hole that let the cracker through.
Now wipe your disk and start out fresh as if the box were new.
And 'till then disbelieve if it says 'one plus one is two.'"

I had a root kit and cracker tools and trojans without end.
The system tools all lied to me...
(spoken) Wait a minute, I just realized he was right! One plus one isn't two -- in binary, 1 + 1 = 10.

I'm back from the attack now more prepared to face the next.
And when it comes I hope I'll be a little less perplexed.
So if you're running on the Net and don't wish to be vexed,
You'll keep your system up to date so it won't be annexed.

(Or...)
You'll have a root kit and cracker tools and trojans without end.
The system tools'll lie to you, their secrets to defend.
And you could be the next to learn; to know beyond a doubt,
You've got to get a firewall to keep the crackers out.

Security links applicable to *nix:

One should read CERT's recovery plan before being cracked. (Do as I say, not as I do.)
CERT's bind vulnerabilities laundry list.

Security links specific to Linux:

A slightly safer way to run bind (Linux and BSD explained).
A slightly safer version of bind (look for bind-chroot-8.2.2.P5-1.i386.rpm or newer).
Red Hat 6.1 Security Advisories
Red Hat 6.0 Security Advisories
LWN has a nice weekly security listing. (Follow the link, click 'security'.)
You can build a firewall from the things you find at home.
More firewall info.
Building Linux and OpenBSD Firewalls is written in a flip style, but it will scare the bejeebers out of you. That's a good thing.

Lyrics: Copyright 2000, Rich Brown (?subject=re:%20www.FreeMars.org/filk/crackityourself.html">)
Use allowed under terms of the Gnu Public License.