From owner-freebsd-questions@FreeBSD.ORG Mon Jun 22 14:59:44 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4B0771065673 for ; Mon, 22 Jun 2009 14:59:44 +0000 (UTC) (envelope-from Ggatten@waddell.com) Received: from mailhost0.waddell.com (mailhost0.waddell.com [12.154.38.61]) by mx1.freebsd.org (Postfix) with ESMTP id 1B7AB8FC12 for ; Mon, 22 Jun 2009 14:59:43 +0000 (UTC) (envelope-from Ggatten@waddell.com) Received: from mailhost3.waddell.com (mailhost3.waddell.com [10.1.10.28]) by mailhost0.waddell.com (8.13.8/8.13.8) with ESMTP id n5MEwvO5027324; Mon, 22 Jun 2009 09:59:08 -0500 (CDT) (envelope-from Ggatten@waddell.com) Received: from mailhost3.waddell.com (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 8A3E4503B8; Mon, 22 Jun 2009 09:58:57 -0500 (CDT) Received: from wadpexf0.waddell.com (wadpexf0.waddell.com [192.168.204.24]) by mailhost3.waddell.com (Postfix) with ESMTP id 539FD503DB; Mon, 22 Jun 2009 09:58:57 -0500 (CDT) Received: from WADPEXV0.waddell.com ([192.168.204.25]) by wadpexf0.waddell.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 22 Jun 2009 09:58:56 -0500 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-MimeOLE: Produced By Microsoft Exchange V6.5 Date: Mon, 22 Jun 2009 09:58:56 -0500 Message-ID: <70C0964126D66F458E688618E1CD008A0793F062@WADPEXV0.waddell.com> In-Reply-To: <20090622085952.9ef38eab.wmoran@potentialtech.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: backdoor threat Thread-Index: AcnzOX0iBscPl7DwQWqAGxhniXloHQAEE8Wg References: <20090619111234.6883afd2@gom><20090619143935.6c28be98.wmoran@potentialtech.com><20090619183535.006433d1@gom> <20090622085952.9ef38eab.wmoran@potentialtech.com> From: "Gary Gatten" To: "Bill Moran" , "prad" X-OriginalArrivalTime: 22 Jun 2009 14:58:56.0934 (UTC) FILETIME=[F79F3C60:01C9F349] Cc: freebsd-questions@freebsd.org Subject: RE: backdoor threat X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jun 2009 14:59:44 -0000 OK - this thread is scaring me. Anything that involves a "backdoor" threat is very concerning - I keep looking over my shoulder to make sure no one is sneaking up on me! -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Bill Moran Sent: Monday, June 22, 2009 8:00 AM To: prad Cc: freebsd-questions@freebsd.org Subject: Re: backdoor threat In response to prad : >=20 > > Sure, there's 1000000000 things. Start by running a nmap scan from a > > different computer and see what ports are open. Investigate each > > program listening on those ports to ensure it's properly secured. > > ok this is really neat! > we did the scan and found what the open ports are. > so the first one we changed was the ssh. > then a friend said he assigns ports that are not used in /etc/services, > so i presume this means for instance if we change the http port, we'll > have to tell our http server to do business on that port? Moving programs to different ports is not a viable security technique. It really only slows down a potential attacker a little bit. My point in suggesting the port scan was for _you_ to know, conclusively, what programs are potential attack vectors. Moving your web server to a different port will make it difficult for people you _want_ to use it to find it. And it won't make it significantly more difficult for attackers. > is this what you mean by ensuring that the program listening on a port > is properly secured? or is there something else? Every program has its own list of steps to secure it. Once you know what programs need to be secured, you can then address each one individually. For example, it seems you've already taken reasonable steps with sshd, by disabling password login and only using keys. You can go a few steps further by ensuring that the only accounts that can login are those that you want to have access, and then installing a program that automatically blocks IPs that have too many failed login attempts. With all programs, you want to make sure that you've got the latest versions that have all known bugs patched. With apache, you should disable modules that you aren't using, and ensure that any interpreters (such as PHP) are limited to only the functionality that is needed. It's also good general practice to configure a packet filter (such as pf or ipfw) that only allows traffic that you know is good. That way, if someone manages to install a trojan, it's neutered because it can't communicate back to its control site. > > Making secure web forms is too complex to discuss in a single email. > >=20 > ok we'll look into this further. we really don't have too many web > forms and the forum software we use is punbb which i think they > (rickard et al) take good care of. Again, make sure you keep this software up to date, so you have the latest bug fixes. Installing portaudit and making sure you get the nightly emails from it is a good idea. --=20 Bill Moran http://www.potentialtech.com http://people.collaborativefusion.com/~wmoran/ _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
"This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system."