Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 22 Jun 2009 08:59:52 -0400
From:      Bill Moran <wmoran@potentialtech.com>
To:        prad <prad@towardsfreedom.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: backdoor threat
Message-ID:  <20090622085952.9ef38eab.wmoran@potentialtech.com>
In-Reply-To: <20090619183535.006433d1@gom>
References:  <20090619111234.6883afd2@gom> <20090619143935.6c28be98.wmoran@potentialtech.com> <20090619183535.006433d1@gom>

next in thread | previous in thread | raw e-mail | index | archive | help
In response to prad <prad@towardsfreedom.com>:
> 
> > Sure, there's 1000000000 things.  Start by running a nmap scan from a
> > different computer and see what ports are open.  Investigate each
> > program listening on those ports to ensure it's properly secured.
>
> ok this is really neat!
> we did the scan and found what the open ports are.
> so the first one we changed was the ssh.
> then a friend said he assigns ports that are not used in /etc/services,
> so i presume this means for instance if we change the http port, we'll
> have to tell our http server to do business on that port?

Moving programs to different ports is not a viable security technique.
It really only slows down a potential attacker a little bit.

My point in suggesting the port scan was for _you_ to know, conclusively,
what programs are potential attack vectors.  Moving your web server to
a different port will make it difficult for people you _want_ to use it
to find it.  And it won't make it significantly more difficult for
attackers.

> is this what you mean by ensuring that the program listening on a port
> is properly secured? or is there something else?

Every program has its own list of steps to secure it.  Once you know what
programs need to be secured, you can then address each one individually.

For example, it seems you've already taken reasonable steps with sshd, by
disabling password login and only using keys.  You can go a few steps
further by ensuring that the only accounts that can login are those that
you want to have access, and then installing a program that automatically
blocks IPs that have too many failed login attempts.

With all programs, you want to make sure that you've got the latest versions
that have all known bugs patched.

With apache, you should disable modules that you aren't using, and ensure
that any interpreters (such as PHP) are limited to only the functionality
that is needed.

It's also good general practice to configure a packet filter (such as pf
or ipfw) that only allows traffic that you know is good.  That way, if
someone manages to install a trojan, it's neutered because it can't
communicate back to its control site.

> > Making secure web forms is too complex to discuss in a single email.
> > 
> ok we'll look into this further. we really don't have too many web
> forms and the forum software we use is punbb which i think they
> (rickard et al) take good care of.

Again, make sure you keep this software up to date, so you have the latest
bug fixes.  Installing portaudit and making sure you get the nightly
emails from it is a good idea.

-- 
Bill Moran
http://www.potentialtech.com
http://people.collaborativefusion.com/~wmoran/



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090622085952.9ef38eab.wmoran>