From owner-freebsd-security Wed Dec 13 8:43:36 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 08:43:28 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from rly-ip01.mx.aol.com (rly-ip01.mx.aol.com [205.188.156.49]) by hub.freebsd.org (Postfix) with ESMTP id 6D4A937B400 for ; Wed, 13 Dec 2000 08:43:28 -0800 (PST) Received: from tot-tj.proxy.aol.com (tot-tj.proxy.aol.com [152.163.213.131]) by rly-ip01.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0) with ESMTP id LAA24382; Wed, 13 Dec 2000 11:42:55 -0500 (EST) Received: from pavilion (AC9B9EF8.ipt.aol.com [172.155.158.248]) by tot-tj.proxy.aol.com (8.10.0/8.10.0) with SMTP id eBDGgo106776; Wed, 13 Dec 2000 11:42:50 -0500 (EST) Message-ID: <013e01c06523$bb32c020$0101a8c0@pavilion> From: "Richard Ward" To: "mikel" , "Robert McCallum" Cc: , References: <3A37A3AF.E2258877@ocsinternet.com> Subject: Re: 911 lockdown! Date: Wed, 13 Dec 2000 11:42:47 -0500 Organization: http://www.neonsky.net MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 X-Apparently-From: Nis8840@aol.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Agreed, the first step is to calm down. Although most wouldn't believe this, but system security is compromised every single day. And for every bug-fix that is released for a program, three new bugs have already surfaced. The most important thing you can do, and it will save you a great deal of time; back up frequently. Once you "know" for sure that the system is clean, and free of any trouble; back it up! This is a lesson I have learned the hard way, in the many years I've worked with Web Hosting and Shell Provider companies. The best way to keep track of bugs, is obviously via mailing lists such as this one. No system is totally secure, unless it's un-plugged. I wish you luck in getting back on your feet, and finding the kiddie(s) who have been poking around your system. -- Richard Ward, CEO richard@neonsky.net Neonsky Internet Services 877 249 6707 - US/Canada ----- Original Message ----- From: mikel To: Robert McCallum Cc: ; Sent: Wednesday, December 13, 2000 11:28 AM Subject: Re: 911 lockdown! > Robert, > > First things first do is calm down. Now do you have access to your router's > config? If so set up a few access lists block everything you don't absolutely > need. This is not a true fw but it will buy you some time while to regroup. > > If you want more direct assistance mail me directly and we'll chat... > > Robert McCallum wrote: > > > My DNS/MAIL/WEB server was hacked recently, I don't believe they 'rooted' > > the server 'yet'. But I do see that they have obtained access to a user > > account. It apears they cracked a users account which I found out that one > > of my users did not adhere to our security policy and set a password that > > was not in accordance to our password policy. > > > > I did find the crackers address, although he did attempt to clean-up after > > himself, he was not very good. > > > > The machines were up aprox. 1 month and are not behind a firewall as of > > yet. The delay of setting up a firewall ( which there is no excuse ) is > > due to the fact that we are moving to a new office and leasing bandwidth > > from a different service provider. Who is going to assign us a new block > > of IP's. Laziness is the cause of this break-in. > > > > I lack the hardware to setup a firewall/router at this time. the only > > thing I can do is firewall the server itself. I have already wrapped and > > disallowed access to many services from outside our subnet, but this does > > not seem to be sufficient since so ports are still open and can be > > accessed such as, X11 on 6000, SMTP 25, IMAP on 143, etc. I also noticed > > that on port 587 the service named 'submission' is open ... and when I > > telnet to it ... It starts a sendmail shell like port 25. Is this > > normal? I don't remember seeing this before. > > > > In conclusion, I need to setup a firewall on that particular host ASAP. I > > have read a lot of documentation on firewalls and internet security which > > I do understand. However, I am not exp. with IP FILTER or IPFW. > > > > I have one NIC in my box with that address of (example address)208.202.32.3 > > and have 2 other IP's binded to the same interface. (IP Aliasing) > > > > Being that time is of the essence here, I do not have the time to readup > > on firewall rules right now, I would be eternally grateful for some help > > with the rules I need in order to filter the following ports and close all > > others. > > > > Port State Service > > 21/tcp open ftp > > 22/tcp open ssh > > 25/tcp open smtp > > 53/tcp open domain > > 80/tcp open http > > 110/tcp open pop-3 > > 111/tcp open sunrpc > > 143/tcp open imap2 > > 587/tcp open submission > > 3306/tcp open mysql > > 6000/tcp open X11 > > > > ftp and ssh are wrapped (I know, not a good idea to wrap ssh.) In this > > case I had to. > > > > I am sure I can figure out how to setup IPFILTER as long as I have the > > correct rules. However it would be helpfule to have a very fast run down > > of the steps I need to take in order to get it running. > > > > thanks a lot for taking the time to read this... > > > > -robert > > > > please CC: me a copy of any replies. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message