Date: Thu, 2 Nov 2000 10:51:30 -0600 From: "Don Muller" <dmuller@lcc.net> To: <freebsd-hackers@FreeBSD.org> Subject: Is this how to use Freebsd? Message-ID: <003c01c044ed$292e1e00$490822d1@user>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_0039_01C044BA.DC409640 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, I have some questions that maybe someone could help with. I leased a new server, and redhat 6 .2 was put as the operating system = Shortly after that the machine was hacked. Apparently the machine was a = peach because the hackers used the server to launch DOS attacks from. = The high output hit 44MBS ! Well, the company did not explain how, or why it happened. The = programmer I work with suggested BSD.Of course I wanted security! Well, I told the Network admin that I wanted some security because I = thought the hackers would come back. He said, well, when we put you on a = 10 pipe, (of your 10-100) the attacks stopped, so I don't think they = will come back as they know they are detected. Also, in 98% of the cases they just move on. Well I didn't really think this was all that well thought out, and ripe = for abuse, but what could I do? So I told them to leave the 10mbs pipe = on for a few days in case they come back. Well guess what? They came back! Just a few hours later, and attacked = with the 10 mbs pipe. And it took way longer to detect! Of course. At 44 = mbs they detect it right away. So, when is the network guy gonna do something smart? Well, they gave me some explanation that the server was hacked at the = xfs port. But later I was told that the ftp port on redhat 6.2 was the = vulnerability, so they actually were not sure? They did little to tell = me what to do either, other than to "Clean up". We decided best was to start over rather than look for back doors etc. So this is when we had the network people install Freebsd. And where my = questions lie. Well, They didnt put a smp in the kernal, it was a dual processor. We = fixed that, but the programmer I work with noticed that the files were = not right. We have (2) 9 gig hard drives, and one had 8.3 gigs of space = in /home, The other had 18 mb in / and /var had 19 mb /usr had 7.2 gigs ..... So, we were told that this is a normal out of the box configuration for = Freebsd. Does that make sense? I do not know. But I need to know if my programmer is not really understanding the = files and how they are used in Freebsd, Or if the Network guys made a = mistake, and are thinking we won't catch it. Because...the network guys suggested we try (well at first one guy = agreed and said, yeah, those files and partitions don't look right, I = agree with your programmer) ...so he suggested that we do the following: / 48 mb -- 18 free /var --19 mb /usr -- 7.2 gig drive 2 /home 8.3 mv /usr/* /usr/usr cp / /usr cp /var /usr reload boot software and edit /usr/etc (after copy) to make /usr / -- Well, when our guy logged in and did that it shut his connection down. = The computer just kept looking for a getty file. So his copy probably = messed with the connection when the connection info was moved...or = something I was told by the network guys. Well, I am not a program or a system guy.. But I am thinking that I, or = we are not totally at fault with what happened here,and should not have = to pay for a re install. So, could you comment and expand where possible on the following, it = would be appreciated, and we could then have an idea what to do as well. 1).Does the network have any obligation to lock down a server, before = they hand it over? They have been hit by 10 such attacks since mine and = have changed the strategy to locking the systems down. 2).Does the file and partition system look ok for a 2 drive Freebsd = install? We mainly want to use 1 hd and have one for back up of the = first. 3). Is the following a system that defeats the purpose of Freebsd, or is = not a good way to use it? *Not from programmer Tell them to set up the drives as follows: ___1 paritition per drive___ drive 1 mount to / drive 2 mount to /mnt/backup Ok, well I guess I have confused you enough. Please forward any ideas you may have on teh subject. Thanks D Muller ------=_NextPart_000_0039_01C044BA.DC409640 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.2614.3500" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DGaramond size=3D3>Hello,</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond>I have some questions that maybe someone = could help=20 with.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond>I leased a new server, and redhat 6 .2 was = put as the=20 operating system Shortly after that the machine was hacked. Apparently = the=20 machine was a peach because the hackers used the server to launch DOS = attacks=20 from. The high output hit 44MBS !</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond>Well, the company did not explain how, or why = it=20 happened. The programmer I work with suggested BSD.Of course I = wanted=20 security!</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond>Well, I told the Network admin that I wanted = some=20 security because I thought the hackers would come back. He said, well, = when we=20 put you on a 10 pipe, (of your 10-100) the attacks stopped, so I don't = think=20 they will come back as they know they are detected.</FONT></DIV> <DIV><FONT face=3DGaramond>Also, in 98% of the cases they just move=20 on.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond>Well I didn't really think this was all that = well=20 thought out, and ripe for abuse, but what could I do? So I told them to = leave=20 the 10mbs pipe on for a few days in case they come back.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond>Well guess what? They came back! Just a few = hours=20 later, and attacked with the 10 mbs pipe. And it took way longer to = detect! Of=20 course. At 44 mbs they detect it right away.</FONT></DIV> <DIV><FONT face=3DGaramond>So, when is the network guy gonna do = something=20 smart?</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond>Well, they gave me some explanation that the = server was=20 hacked at the xfs port. But later I was told that the ftp port on redhat = 6.2 was=20 the vulnerability, so they actually were not sure? They did little to = tell me=20 what to do either, other than to "Clean up".</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond>We decided best was to start over rather than = look for=20 back doors etc.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond>So this is when we had the network people = install=20 Freebsd. And where my questions lie.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond>Well, They didnt put a smp in the kernal, it = was a dual=20 processor. We fixed that, but the programmer I work with noticed that = the files=20 were not right. We have (2) 9 gig hard drives, and one had 8.3 gigs of = space in=20 /home, The other had 18 mb in / and</FONT></DIV> <DIV><FONT face=3DGaramond>/var had 19 mb /usr had 7.2 gigs=20 .....</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond>So, we were told that this is a normal out of = the box=20 configuration for Freebsd. Does that make sense?</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond>I do not know.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond>But I need to know if my programmer is not = really=20 understanding the files and how they are used in Freebsd, Or if the = Network guys=20 made a mistake, and are thinking we won't catch it.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond>Because...the network guys suggested we try = (well at=20 first one guy agreed and said, yeah, those files and partitions don't = look=20 right, I agree with your programmer) ...so he suggested that we do the=20 following:</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond size=3D3>/ 48 mb -- 18 = free<BR>/var --19=20 mb<BR>/usr -- 7.2 gig<BR><BR><BR>drive 2<BR>/home 8.3<BR><BR>mv=20 /usr/* /usr/usr<BR>cp / /usr<BR>cp /var /usr<BR><BR>reload boot = software=20 and edit /usr/etc (after copy) to make /usr = /<BR>--<BR><FONT=20 size=3D3>Well, when our guy logged in and did that it shut his = connection down.=20 The computer just kept looking for a getty file. So his copy probably = messed=20 with the connection when the connection info was moved...or something I = was told=20 by the network guys.</FONT></FONT></DIV> <DIV> </DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond>Well, I am not a program or a system guy.. = But I am=20 thinking that I, or we are not totally at fault with what happened = here,and=20 should not have to pay for a re install.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond>So, could you comment and expand where = possible on the=20 following, it would be appreciated, and we could then have an idea what = to do as=20 well.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond>1).Does the network have any obligation to = lock down a=20 server, before they hand it over? They have been hit by 10 such attacks = since=20 mine and have changed the strategy to locking the systems = down.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond>2).Does the file and partition system look ok = for a 2=20 drive Freebsd install? We mainly want to use 1 hd and have one for back = up of=20 the first.</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond>3). Is the following a system that defeats = the purpose=20 of Freebsd, or is not a good way to use it?</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DGaramond>*Not from programmer</FONT></DIV> <DIV><FONT face=3DGaramond>Tell them to set up the drives as = follows:<BR><BR>___1=20 paritition per drive___<BR><BR>drive 1 mount to /<BR><BR>drive 2 mount = to=20 /mnt/backup<BR></FONT></DIV> <DIV><FONT face=3DGaramond></FONT> </DIV> <DIV><FONT face=3DGaramond><FONT size=3D3>Ok, well I guess I have = confused you=20 enough.</FONT></FONT></DIV> <DIV><FONT face=3DGaramond><FONT size=3D3></FONT></FONT> </DIV> <DIV><FONT face=3DGaramond><FONT size=3D3>Please forward any ideas you = may have on=20 teh subject.</FONT></FONT></DIV> <DIV><FONT face=3DGaramond><FONT size=3D3></FONT></FONT> </DIV> <DIV><FONT face=3DGaramond><FONT size=3D3>Thanks</FONT></FONT></DIV> <DIV><FONT face=3DGaramond><FONT size=3D3></FONT></FONT> </DIV> <DIV><FONT face=3DGaramond><FONT size=3D3>D Muller</FONT></FONT></DIV> <DIV><FONT face=3DGaramond><FONT size=3D3></FONT></FONT> </DIV> <DIV><FONT face=3DGaramond><FONT = size=3D3><BR><BR> </DIV></FONT></FONT> <DIV> </DIV></BODY></HTML> ------=_NextPart_000_0039_01C044BA.DC409640-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003c01c044ed$292e1e00$490822d1>