LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-20-2001, 05:01 PM   #1
bretthoward
Member
 
Registered: Mar 2001
Location: Klamath Falls
Posts: 62

Rep: Reputation: 15

Recently I got hacked by someone that really knew what they were doing. They got in via my BIND server but anything beyond that isn't there because the logs were all shut off. Now my logs will auto reload themselves if they are shut down.

I have closed down quite a few ports and now the system looks like this (when portsentry is not up):
Port State Service
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
113/tcp open auth
139/tcp open netbios-ssn

Nmap can't tell what OS it is (linux 2.4.2).... Is the auth port really needed? I have shut it down by taking it out of inetd.conf and then restarting inetd and it goes away but even with it commented out of the inetd file it still loads after a hard reboot. Nothing seems to be broken when its not open....

Also I have started Portsentry again (although it was running on the system when it got hacked). But now if anything even tries to talk to the system on the FTP, Telnet, or DNS ports they are auto banned.

I reinstalled the system from scratch and only kept data files after the hack and I got rid of any and all user accouns that weren't being used regularly.

I also upgraded pretty much every program that I run on my system. From SMB to Apache to Pine... The only thing I haven't upgraded is Sendmail. (Is there a better product here?)

Another thing I did was Pine said that there was a vunerability with my mailboxes because they didnt have 1777 protection so I set all of them to 1777.

I don't have too much time to do major complicated enhancements being that I'm a dual major and in the middle of a school year but I think that this would be an interesting thread for a lot of people!

THANKYOU TO EVERY ONE FOR YOUR HINTS IN ADVANCE!

If there are any other somewhat easy things to set up that make it more difficult to get into a system please let me know!! Thanks!
 
Old 03-20-2001, 05:57 PM   #2
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,002

Rep: Reputation: 3730Reputation: 3730Reputation: 3730Reputation: 3730Reputation: 3730Reputation: 3730Reputation: 3730Reputation: 3730Reputation: 3730Reputation: 3730Reputation: 3730
Ahh..Sorry to hear about the hack. I hope too much wasn't lost. Here are a few things you can do (some you have already done, BTW). Shuting off all unused services should always be the first step. Keeping everything up to date is a close second. Some other quick checks:

1) Do NOT use telnet use SSH.
2) If you check your mail using POP do not check it with a user that can log in (setting this up depends on your POP setup).
3) Portsentry is a OK, but you may want to look into snort also.
4) You may want to setup some kind of firewalling.
5) Use hosts.deny to only allow ssh and other services from servers that you use.
 
Old 03-20-2001, 06:10 PM   #3
bretthoward
Member
 
Registered: Mar 2001
Location: Klamath Falls
Posts: 62

Original Poster
Rep: Reputation: 15
At the moment I'm working on the firewall and I'll look into snort right after that... (good thing spring break is coming up!)
 
Old 03-20-2001, 06:15 PM   #4
bretthoward
Member
 
Registered: Mar 2001
Location: Klamath Falls
Posts: 62

Original Poster
Rep: Reputation: 15
Explain a bit more about the not having POP accounts that can login to the system... How do you setup users that need both? Do they need to have 2 accounts?
 
Old 03-20-2001, 07:15 PM   #5
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,002

Rep: Reputation: 3730Reputation: 3730Reputation: 3730Reputation: 3730Reputation: 3730Reputation: 3730Reputation: 3730Reputation: 3730Reputation: 3730Reputation: 3730Reputation: 3730
What POP server do you use? You can usually set it up so that the POP server authenticates out of some kind of DB, so POP-only users do not need real accounts. You can then set it up so that mail that goes to your "real" account is forwarded to your POP only account.
 
Old 03-20-2001, 07:21 PM   #6
bretthoward
Member
 
Registered: Mar 2001
Location: Klamath Falls
Posts: 62

Original Poster
Rep: Reputation: 15
gnu-pop3d is the pop3 server that I'm using.... Kinda seems like a lot of work but I'll look into it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Easy urpmi ,no easy send mail. akihandyman Linux - General 2 12-27-2004 02:15 PM
Linux4RegularGuys - EASY FTP setup using vsftpd - READ THIS FOR EASY HELP DropHit Linux - Networking 4 11-25-2004 02:44 PM
Easy Install AND Security Updates pmconway Linux - Networking 3 10-04-2004 11:21 AM
Some easy questions about security in linux on the net J_angel2000 Linux - Security 3 02-28-2004 04:17 PM
Which distribution for easy security? lucifer_666 Linux - General 1 01-14-2004 08:28 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:24 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration