From owner-freebsd-security Wed Dec 13 8:43:19 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 08:43:14 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 107BC37B402 for ; Wed, 13 Dec 2000 08:43:13 -0800 (PST) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.1/8.11.1) with ESMTP id eBDGgt617561; Wed, 13 Dec 2000 11:42:55 -0500 (EST) (envelope-from rsimmons@wlcg.com) Date: Wed, 13 Dec 2000 11:42:55 -0500 (EST) From: Rob Simmons To: Robert McCallum Cc: freebsd-security@FreeBSD.ORG Subject: Re: 911 lockdown! In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have a couple of suggestions for securing the server in the future. You should run the SSL version of pop and imap, or use stunnel to make an SSL wrapper for these services. In an optimal situation, you should only allow access to the SSL service, or at least only allow users that are behind the firewall to access the non SSL services. I would also disable ftp. You can run sftp through OpenSSH now, just look at /etc/ssh/sshd_config the last couple of lines should be uncommented out for sftp. Another option to that, if you are against running SSL version 2, is to install the package lrzsz and use that over an ssh session to transfer files. Z-modem is supported by most windows ssh clients, and in unix you just need the lrzsz on both ends of the connection. As for the MSA (Mail Submission Agent) on port 587, you can read about it in http://www.faqs.org/rfcs/rfc2476.html. It is unfortunately not implemented in many email clients at this time, and actually, if you find a good client that supports it let me know. Also, if your box has been broken into, its good policy to reinstall it from the ground up, since you never will know how deep the person got into your system, or whether the "sloppyness" is just a cover to make the admin of the machine believe that they have found all the problems. Robert Simmons Systems Administrator http://www.wlcg.com/ On Wed, 13 Dec 2000, Robert McCallum wrote: > > My DNS/MAIL/WEB server was hacked recently, I don't believe they 'rooted' > the server 'yet'. But I do see that they have obtained access to a user > account. It apears they cracked a users account which I found out that one > of my users did not adhere to our security policy and set a password that > was not in accordance to our password policy. > > I did find the crackers address, although he did attempt to clean-up after > himself, he was not very good. > > The machines were up aprox. 1 month and are not behind a firewall as of > yet. The delay of setting up a firewall ( which there is no excuse ) is > due to the fact that we are moving to a new office and leasing bandwidth > from a different service provider. Who is going to assign us a new block > of IP's. Laziness is the cause of this break-in. > > I lack the hardware to setup a firewall/router at this time. the only > thing I can do is firewall the server itself. I have already wrapped and > disallowed access to many services from outside our subnet, but this does > not seem to be sufficient since so ports are still open and can be > accessed such as, X11 on 6000, SMTP 25, IMAP on 143, etc. I also noticed > that on port 587 the service named 'submission' is open ... and when I > telnet to it ... It starts a sendmail shell like port 25. Is this > normal? I don't remember seeing this before. > > In conclusion, I need to setup a firewall on that particular host ASAP. I > have read a lot of documentation on firewalls and internet security which > I do understand. However, I am not exp. with IP FILTER or IPFW. > > I have one NIC in my box with that address of (example address)208.202.32.3 > and have 2 other IP's binded to the same interface. (IP Aliasing) > > Being that time is of the essence here, I do not have the time to readup > on firewall rules right now, I would be eternally grateful for some help > with the rules I need in order to filter the following ports and close all > others. > > Port State Service > 21/tcp open ftp > 22/tcp open ssh > 25/tcp open smtp > 53/tcp open domain > 80/tcp open http > 110/tcp open pop-3 > 111/tcp open sunrpc > 143/tcp open imap2 > 587/tcp open submission > 3306/tcp open mysql > 6000/tcp open X11 > > > ftp and ssh are wrapped (I know, not a good idea to wrap ssh.) In this > case I had to. > > I am sure I can figure out how to setup IPFILTER as long as I have the > correct rules. However it would be helpfule to have a very fast run down > of the steps I need to take in order to get it running. > > thanks a lot for taking the time to read this... > > -robert > > please CC: me a copy of any replies. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message