From owner-freebsd-hackers Thu Nov 2 9:12:51 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from post.webmailer.de (natmail2.webmailer.de [192.67.198.65]) by hub.freebsd.org (Postfix) with ESMTP id AD44737B4D7 for ; Thu, 2 Nov 2000 09:12:35 -0800 (PST) Received: from umktgghc (host-209-214-44-97.mob.bellsouth.net [209.214.44.97]) by post.webmailer.de (8.9.3/8.8.7) with SMTP id SAA16418; Thu, 2 Nov 2000 18:12:27 +0100 (MET) Message-Id: <200011021712.SAA16418@post.webmailer.de> From: "Moritz Hardt" To: "Don Muller" , "freebsd-hackers@FreeBSD.ORG" Date: Thu, 02 Nov 2000 11:11:47 -0500 Reply-To: "Moritz Hardt" X-Mailer: PMMail 2000 Professional (2.10.2010) For Windows 98 (4.10.1998) In-Reply-To: <003c01c044ed$292e1e00$490822d1@user> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="_=_=_=IMA.BOUNDARY.HTML_4963392=_=_=_" Subject: Re: Is this how to use Freebsd? Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --_=_=_=IMA.BOUNDARY.HTML_4963392=_=_=_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable It seems to me like, your network administrators are a bit unexperienced= with linux, bsd and system-security. If a machine gets compromised, it should be the first step, to unplug it= from the network and try to analyze who hacked the machine. Since I think you were hacked by standard-script-kiddies, t= hey probably left tracks. so, go thru logfiles, etc. Installing FreeBSD or any other OS is not a garantee for security. You s= hould read the security documentation of the os and it is important to stay up-to-date with your patches. sign up for bu= gtraq@securityfocus.com for example and see if discovered bugs and holes concern your system. there are a lot of things= you can do. I can't listen them all. Now to your mount-problem. First I have to say, that you should use the = FreeBSD-partition/mountpoint-setup during the installation. the step 'mv /usr /usr/usr' is defnetely not understanable, since you me= ss up the whole system. the next steps you did are at least as bad as the first one. your new mount configuration seems really strange to me, aswell. Is it p= ossible that the admin doesn't know much about unix? Anyway, I recommend you to read the FreeBSD-Handbook first, since it exp= lains a lot. You can find it at www.freebsd.org/handbook/ --Original Message Text--- From: Don Muller Date: Thu, 2 Nov 2000 10:51:30 -0600 Hello, =FF I have some questions that maybe someone could help with. =FF I leased a new server, and redhat 6 .2 was put as the operating system S= hortly after that the machine was hacked. Apparently the machine was a peach because the hackers used the server to launch DOS at= tacks from. The high output hit 44MBS ! =FF Well, the company did not explain how, or why it happened. The programme= r I work with=FF suggested BSD.Of course I wanted security! =FF Well, I told the Network admin that I wanted some security because I tho= ught the hackers would come back. He said, well, when we put you on a 10 pipe, (of your 10-100) the attacks stopped, so I= don't think they will come back as they know they are detected. Also, in 98% of the cases they just move on. =FF Well I didn't really think this was all that well thought out, and ripe = for abuse, but what could I do? So I told them to leave the 10mbs pipe on for a few days in case they come back. =FF Well guess what? They came back! Just a few hours later, and attacked wi= th the 10 mbs pipe. And it took way longer to detect! Of course. At 44 mbs they detect it right away. So, when is the network guy gonna do something smart? =FF Well, they gave me some explanation that the server was hacked at the xf= s port. But later I was told that the ftp port on redhat 6.2 was the vulnerability, so they actually were not sure? They did litt= le to tell me what to do either, other than to "Clean up". =FF We decided best was to start over rather than look for back doors etc. =FF So this is when we had the network people install Freebsd. And where my = questions lie. =FF Well, They didnt put a smp in the kernal, it was a dual processor. We fi= xed that, but the programmer I work with noticed that the files were not right. We have (2) 9 gig hard drives, and one had 8.3= gigs of space in /home, The other had 18 mb in /=FF=FF and /var had 19 mb=FF=FF /usr had 7.2 gigs ..... =FF So, we were told that this is a normal out of the box configuration for = Freebsd. Does that make sense? =FF I do not know. =FF But I need to know if my programmer is not really understanding the file= s and how they are used in Freebsd, Or if the Network guys made a mistake, and are thinking we won't catch it. =FF Because...the network guys suggested we try (well at first one guy agree= d and said, yeah, those files and partitions don't look right, I agree with your programmer) ...so he suggested that we do the f= ollowing: =FF / 48 mb=FF -- 18 free /var=FF --19 mb /usr -- 7.2 gig drive 2 /home=FF 8.3 mv /usr/*=FF /usr/usr cp / /usr cp /var /usr reload boot software and edit /usr/etc (after copy) to make /usr=FF=FF=FF= / -- Well, when our guy logged in and did that it shut his connection down. T= he computer just kept looking for a getty file. So his copy probably messed with the conn= ection when the connection info was moved...or something I was told by the network guys.= =FF =FF Well, I am not a program or a system guy.. But I am thinking that I, or = we are not totally at fault with what happened here,and should not have to pay for a re install. =FF So, could you comment and expand where possible on the following, it wou= ld be appreciated, and we could then have an idea what to do as well. =FF 1).Does the network have any obligation to lock down a server, before th= ey hand it over? They have been hit by 10 such attacks since mine and have changed the strategy to locking the systems = down. =FF 2).Does the file and partition system look ok for a 2 drive Freebsd inst= all? We mainly want to use 1 hd and have one for back up of the first. =FF 3). Is the following a system that defeats the purpose of Freebsd, or is= not a good way to use it? =FF *Not from programmer Tell them to set up the drives as follows: ___1 paritition per drive___ drive 1 mount to / drive 2 mount to /mnt/backup =FF Ok, well I guess I have confused you enough. =FF Please forward any ideas you may have on teh subject. =FF Thanks =FF D Muller =FF =FF =FF --_=_=_=IMA.BOUNDARY.HTML_4963392=_=_=_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable It seems to me like, your network administrators= are a bit unexperienced with linux, bsd and system-security.

If a machine gets compromised, it should be the first step, to unplug it= from the network and try to analyze who hacked the machine. Since I thi= nk you were hacked by standard-script-kiddies, they probably left tracks= . so, go thru logfiles, etc.

Installing FreeBSD or any other OS is not a garantee for security. You s= hould read the security documentation of the os and it is important to s= tay up-to-date with your patches. sign up for bugtraq@securityfocus.com = for example and see if discovered bugs and holes concern your system. th= ere are a lot of things you can do. I can't listen them all.

Now to your mount-problem. First I have to say, that you should use the = FreeBSD-partition/mountpoint-setup during the installation.
the step 'mv /usr /usr/usr' is defnetely not understanable, since you me= ss up the whole system. the next steps you did are at least as bad as t= he first one.

your new mount configuration seems really strange to me, aswell. Is it p= ossible that the admin doesn't know much about unix?

Anyway, I recommend you to read the FreeBSD-Handbook first, since it exp= lains a lot. You can find it at www.freebsd.org/handbook/



--Original Message Text---
From: Don Muller
Date: Thu, 2 Nov 2000 10:51:30 -0600

Hello,
 
I have some questions that maybe someone could h= elp with.
 
I leased a new server, and redhat 6 .2 was put a= s the operating system Shortly after that the machine was hacked. Appare= ntly the machine was a peach because the hackers used the server to laun= ch DOS attacks from. The high output hit 44MBS !
 
Well, the company did not explain how, or why it= happened. The programmer I work with suggested BSD.Of course I wan= ted security!
 
Well, I told the Network admin that I wanted som= e security because I thought the hackers would come back. He said, well,= when we put you on a 10 pipe, (of your 10-100) the attacks stopped, so = I don't think they will come back as they know they are detected.
Also, in 98% of the cases they just move on.
 
Well I didn't really think this was all that wel= l thought out, and ripe for abuse, but what could I do? So I told them t= o leave the 10mbs pipe on for a few days in case they come back.
 
Well guess what? They came back! Just a few hour= s later, and attacked with the 10 mbs pipe. And it took way longer to de= tect! Of course. At 44 mbs they detect it right away.
So, when is the network guy gonna do something s= mart?
 
Well, they gave me some explanation that the ser= ver was hacked at the xfs port. But later I was told that the ftp port o= n redhat 6.2 was the vulnerability, so they actually were not sure? They= did little to tell me what to do either, other than to "Clean up".
 
We decided best was to start over rather than lo= ok for back doors etc.
=  
So this is when we had the network people instal= l Freebsd. And where my questions lie.
 
Well, They didnt put a smp in the kernal, it was= a dual processor. We fixed that, but the programmer I work with noticed= that the files were not right. We have (2) 9 gig hard drives, and one h= ad 8.3 gigs of space in /home, The other had 18 mb in /  and
/var had 19 mb  /usr had 7.2 gigs ....= .
 
So, we were told that this is a normal out of th= e box configuration for Freebsd. Does that make sense?
 
I do not know.
 
But I need to know if my programmer is not reall= y understanding the files and how they are used in Freebsd, Or if the Ne= twork guys made a mistake, and are thinking we won't catch it.
 
Because...the network guys suggested we try (wel= l at first one guy agreed and said, yeah, those files and partitions don= 't look right, I agree with your programmer) ...so he suggested that we = do the following:
 
/ 48 mb -= - 18 free
/var --19 mb
/usr -- 7.2 gig


drive 2
/home 8.3

mv /usr/* /usr/usr
cp / /usr
cp /var /usr

reload boot software and edit /usr/etc (after copy) to make /usr &n= bsp; /
--
Well, when our guy logged in and did that it shut his connection down. T= he computer just kept looking for a getty file. So his copy probably mes= sed with the connection when the connection info was moved...or somethin= g I was told by the network guys.
 
 
Well, I am not a program or a system guy.. But I= am thinking that I, or we are not totally at fault with what happened h= ere,and should not have to pay for a re install.
 
So, could you comment and expand where possible = on the following, it would be appreciated, and we could then have an ide= a what to do as well.
 
1).Does the network have any obligation to lock = down a server, before they hand it over? They have been hit by 10 such a= ttacks since mine and have changed the strategy to locking the systems d= own.
 
2).Does the file and partition system look ok fo= r a 2 drive Freebsd install? We mainly want to use 1 hd and have one for= back up of the first.
=  
3). Is the following a system that defeats the p= urpose of Freebsd, or is not a good way to use it?
 
*Not from programmer
Tell them to set up the drives as follows:

___1 paritition per drive___

drive 1 mount to /

drive 2 mount to /mnt/backup

 
Ok, well I gue= ss I have confused you enough.
 
Please forward= any ideas you may have on teh subject.
 
Thanks
 
D Muller
 


 
 


--_=_=_=IMA.BOUNDARY.HTML_4963392=_=_=_-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message