Date: Tue, 24 Jul 2001 19:38:10 -0500 From: Jon Loeliger <jdl@jdl.com> To: Kris Kennaway <kris@obsecurity.org> Cc: Peter Pentchev <roam@orbitel.bg>, security@freebsd.org Subject: Re: Security Check Diffs Question Message-ID: <200107250038.TAA07176@chrome.jdl.com> In-Reply-To: Your message of "Tue, 24 Jul 2001 15:47:11 PDT." <20010724154711.B36368@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
So, like Kris Kennaway was saying to me just the other day:
>
> > ypchfn changed its inode number, and its link count. This means that
> > somebody performed an unlink() (delete) on ypchfn, and then created
> > a new ypchfn with the same size, timestamp, permissions and stuff,
> > but still a new file - and that's where the hardlink count + inum
> > tracking of /etc/security kicked in and alerted you.
>
> This is a signature I've seen before; chances are someone has gained
> root on your machine (probably through telnetd)
Excellent. So given the grim situation, this is what I want to hear.
The system was compromised. My suspicion is that telnetd was the
culprit, given it came on the heals of the telnet Security announcement.
No, I hadn't fixed it yet. Man, there just isn't enough time in the
day to do your real job _and_ plug the security holes! :-(
So the machine is currently off the air. I'll rebuild it.
And would that be 4.4 or 4.3? Rats.
I'm also going to set up a more serious DMZ firewall. Can I ask
you guys questions and hold my hand through setting it all up?
I am not familiar with IPFW, but I know what it does, how it
works, networking and IP details. So here's what I think I want
to set up now:
- External ISP ISDN wire comes out of the wall,
- Hits the Ascend Pipeline-50 and comes out ethernet,
- Goes into a DMZ box on one ether card,
- Same DMZ box has IPFW rules allowing traffic (or not)
to be forwarded to the second ether card in that box,
- The second ether card plugs into the 24-port switch,
- Everything else on the "inside" plugs into that same switch.
For starters, do I have the basic scheme right?
( So I'm waiting on the high speed link to come up again,
and eventually the Pipe-50 gets replaced with a T-1 LMC card.
(Does FreeBSD have an LMC T-1 driver? Or will I have to use
this old POS Linux box for that?) )
You know, this is a pain! But I appreciate your suggestions! :-)
jdl
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107250038.TAA07176>