Recently I got hacked by someone that really knew what they were doing. They got in via my BIND server but anything beyond that isn't there because the logs were all shut off. Now my logs will auto reload themselves if they are shut down.

I have closed down quite a few ports and now the system looks like this (when portsentry is not up):
Port State Service
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
113/tcp open auth
139/tcp open netbios-ssn

Nmap can't tell what OS it is (linux 2.4.2).... Is the auth port really needed? I have shut it down by taking it out of inetd.conf and then restarting inetd and it goes away but even with it commented out of the inetd file it still loads after a hard reboot. Nothing seems to be broken when its not open....

Also I have started Portsentry again (although it was running on the system when it got hacked). But now if anything even tries to talk to the system on the FTP, Telnet, or DNS ports they are auto banned.

I reinstalled the system from scratch and only kept data files after the hack and I got rid of any and all user accouns that weren't being used regularly.

I also upgraded pretty much every program that I run on my system. From SMB to Apache to Pine... The only thing I haven't upgraded is Sendmail. (Is there a better product here?)

Another thing I did was Pine said that there was a vunerability with my mailboxes because they didnt have 1777 protection so I set all of them to 1777.

I don't have too much time to do major complicated enhancements being that I'm a dual major and in the middle of a school year but I think that this would be an interesting thread for a lot of people!

THANKYOU TO EVERY ONE FOR YOUR HINTS IN ADVANCE!

If there are any other somewhat easy things to set up that make it more difficult to get into a system please let me know!! Thanks!

Ahh..Sorry to hear about the hack. I hope too much wasn't lost. Here are a few things you can do (some you have already done, BTW). Shuting off all unused services should always be the first step. Keeping everything up to date is a close second. Some other quick checks:

1) Do NOT use telnet use SSH.
2) If you check your mail using POP do not check it with a user that can log in (setting this up depends on your POP setup).
3) Portsentry is a OK, but you may want to look into snort also.
4) You may want to setup some kind of firewalling.
5) Use hosts.deny to only allow ssh and other services from servers that you use.

At the moment I'm working on the firewall and I'll look into snort right after that... (good thing spring break is coming up!)

Explain a bit more about the not having POP accounts that can login to the system... How do you setup users that need both? Do they need to have 2 accounts?

What POP server do you use? You can usually set it up so that the POP server authenticates out of some kind of DB, so POP-only users do not need real accounts. You can then set it up so that mail that goes to your "real" account is forwarded to your POP only account.

gnu-pop3d is the pop3 server that I'm using.... Kinda seems like a lot of work but I'll look into it.