Date: 13 Dec 2000 17:32:35 +0100 From: Dag-Erling Smorgrav <des@ofug.org> To: Robert McCallum <robert@cards2talk.com> Cc: misc@openbsd.org, freebsd-security@FreeBSD.ORG Subject: Re: 911 lockdown! Message-ID: <xzpn1e0l1ss.fsf@flood.ping.uio.no> In-Reply-To: Robert McCallum's message of "Wed, 13 Dec 2000 11:18:55 -0500 (EST)" References: <Pine.BSF.4.21.0012131048420.489-100000@www.freebsdbox.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert McCallum <robert@cards2talk.com> writes: > [...] Ideally, you should reinstall the entire system from a trusted source (preferably an original CD-ROM). That said, I'll give you a few hints about your open ports: > Port State Service > 21/tcp open ftp Only allow anonymous logins, if any (add the -A option to the ftpd line in inetd.conf) > 22/tcp open ssh Edit /etc/ssh/sshd_config to specify which hosts are allowed to connect. > 25/tcp open smtp If you don't need it, set sendmail_flags to "-q30m" so it won't listen for incoming connections but still running the queue (so you can send mail but not receive) > 53/tcp open domain Is this machine a name server? If it's not, disable named in /etc/rc.conf. If you just want a caching nameserver, edit /etc/namedb/named.conf and set listen-on to 127.0.0.1 - but if at all possible, avoid doing even that. > 80/tcp open http Is this machine a web server? > 110/tcp open pop-3 Wrap it, and make sure the pop server software is up-to-date, most pop daemons are notoriously insecure. > 111/tcp open sunrpc You don't need this. Add portmap_enable="NO" to /etc/rc.conf. > 143/tcp open imap2 Same comments as for pop3. If possible, use Cyrus, most other imap servers are notoriously insecure. > 587/tcp open submission This is probably a back door the intruder left behind. Use sockstat(1) to determine which process owns the socket, and kill it (and make sure it doesn't restart when you reboot) > 3306/tcp open mysql Does that machine really need to run mysql? If yes, does it really need to accept TCP connections? Refer to the mysql documentation for information on how to prevent it from listening for TCP connections. > 6000/tcp open X11 Why are you running X on a server? If you really must (you don't, but I won't argue the case), edit whatever script you use to start X to add the '-nolisten tcp' option to the server command line. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzpn1e0l1ss.fsf>