Date: Wed, 3 Jan 2001 06:08:59 -0000 From: "Jason Halbert" <res02jw5@gte.net> To: "David Kelly" <dkelly@hiwaay.net> Cc: <questions@FreeBSD.ORG> Subject: Re: Security Problem Message-ID: <003b01c0754b$aa4d17f0$17622104@next> References: <200101030333.f033Xup03770@grumpy.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
The evidence suggests "David Kelly" wrote: > "Jason Halbert" writes: > > Is there a way to block an enitre host (e.g. *.gtei.net) or a block of > > ip's (e.g. 4.33.*) ? Or is there a way to say that only a certain > > domain or block of ip's can access my system? > > See ipfw(8). And the examples in /etc/rc.firewall. You can block an > address, or range of addresses. But you can't block by symbolic domain > name. > > > Also, is there a way to block the use of "adduser" or "vipw" or even > > looking at /etc/master.passwd without being the specific user "root". > > Where as you must be root and not "su" or any other user to see and/or > > use those commands. > > > > I hope that makes sense. > > Sort of. Read the man page for su, specifically the difference between > the -m and -l versions. FreeBSD defaults with a shell alias for su of > "su -m". If a user is able to su to root, then that user is able to do > a full login to root where both user-id and effective-user-id are root. > > If you are having problems as you seem to be suggesting, then its likely > you have been root-kit'ed and nothing on your machine can be trusted. > Am saying its not just the su utility which is a problem. Its time for > a backup, wipe, and re-install from known clean media such as the WC > distribution CDROM. Then audit every thing which goes back on the system > from the backup tape. Don't restore anything root would use, use only > new clean copies. > > Later you can compare the old and new files to determine the extent of > the problem. > > Tripwire (/usr/ports/security/tripwire*) and mtree (/usr/sbin/mtree) are > helpful in such situations, but only if applied before the event, not > after. Is it possible to chmod certain directories such as /etc and /usr/sbin so that no one but root may read, write and execute and not cause any problems? If a person doesn't have permission to the dir then afaics they shouldn't be albe to mess with anything. *slightly paranoid now* I plan to re-install from ftp. --- Jason jason@jason-n3xt.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003b01c0754b$aa4d17f0$17622104>