From owner-freebsd-questions Sun Aug 12 12:52:21 2001 Delivered-To: freebsd-questions@freebsd.org Received: from jezebel.demon.co.uk (jezebel.demon.co.uk [158.152.38.143]) by hub.freebsd.org (Postfix) with ESMTP id D735E37B408 for ; Sun, 12 Aug 2001 12:52:15 -0700 (PDT) (envelope-from rdls@jezebel.demon.co.uk) Received: (from rdls@localhost) by jezebel.demon.co.uk (8.11.1/8.11.1) id f7CJnF600987; Sun, 12 Aug 2001 20:49:15 +0100 (BST) (envelope-from rdls) Date: Sun, 12 Aug 2001 20:49:14 +0100 From: Richard Smith To: Matthew Sundling Cc: freebsd-questions@freebsd.org Subject: Re: security check output: questionable setuid diffs help? Message-ID: <20010812204914.C744@gaia.home.rdls.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from sundlm@rpi.edu on Sun, Aug 12, 2001 at 11:15:49AM -0400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Aug 12, 2001 at 11:15:49AM -0400, Matthew Sundling wrote: > I am new to the land of maintaining and securing my own unix-like > box, and so I have been presented with all the new problems > (interesting learning experiences?) that lie therein. > > FYI: my machine = FreeBSD 4.3-RELEASE #2: Fri Aug 3 19:32:28 > GMT 2001 > > I just started reading/following online security related websites > on how to secure my machine yesturday (before yesturday my > machine was running at securelevel=-1, with finger/telnet/ftp all > still active in the default manner), and curiously messages > appeared in my daily security check emails today (pasted below). > > Please note the change in time stamp. I would also point out the > fact that I started logging TCP/UDP connection attempts > yesturday, and it looked like several (~7) machines were port > scanning. Also, my ISP is a rather open cable modem network. > Also, I know little about true security and the art of detecting > breaches. And I have not done any recent make worlds or > installed any new system software since yesturday that would > cause these changes. I did remove all services from the inetd, > though... There is a lot of port scanning going on at the moment, best have a decent firewall configuration. > Also, the header of the daily security log included: > > To: undisclosed-recipients:; > Is this normal? I ask because I have no 'original' logs to > compare the header against, so I can't tell if this is normal. I > Checked my crontab,/etc/periodic/* stuff and it _seems_ like root > is the only recipient, but I can't really tell. Just means that a `To' field was not written into the header, so the receiving MUA put that in instead. > Any suggestions? Has my machine been penetrated? Any advice? Disable everything you do not use. e.g. inetd, portmap, etc. > my.hostaddr.goes.here setuid diffs: [snip, millions of files exactly 4 hours time difference] Changed this machines time zone recently ? -- Richard Smith Network Systems Director Satamatics Ltd Green Lane, Tewkesbury, GL20 8HD, United Kingdom Tel: +44 1684 278610 Fax: +44 1684 278611 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message