Recently I got hacked by someone that really knew what they were doing. They got in via my BIND server but anything beyond that isn't there because the logs were all shut off. Now my logs will auto reload themselves if they are shut down.
I have closed down quite a few ports and now the system looks like this (when portsentry is not up):
Port State Service
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
113/tcp open auth
139/tcp open netbios-ssn
Nmap can't tell what OS it is (linux 2.4.2).... Is the auth port really needed? I have shut it down by taking it out of inetd.conf and then restarting inetd and it goes away but even with it commented out of the inetd file it still loads after a hard reboot. Nothing seems to be broken when its not open....
Also I have started Portsentry again (although it was running on the system when it got hacked). But now if anything even tries to talk to the system on the FTP, Telnet, or DNS ports they are auto banned.
I reinstalled the system from scratch and only kept data files after the hack and I got rid of any and all user accouns that weren't being used regularly.
I also upgraded pretty much every program that I run on my system. From SMB to Apache to Pine... The only thing I haven't upgraded is Sendmail. (Is there a better product here?)
Another thing I did was Pine said that there was a vunerability with my mailboxes because they didnt have 1777 protection so I set all of them to 1777.
I don't have too much time to do major complicated enhancements being that I'm a dual major and in the middle of a school year but I think that this would be an interesting thread for a lot of people!
THANKYOU TO EVERY ONE FOR YOUR HINTS IN ADVANCE!
If there are any other somewhat easy things to set up that make it more difficult to get into a system please let me know!! Thanks!