From owner-freebsd-stable  Thu Dec 27 19: 4:59 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from pr0n.kutulu.org (pr0n.kutulu.org [151.196.107.157])
	by hub.freebsd.org (Postfix) with ESMTP id 75AAD37B419
	for <stable@FreeBSD.ORG>; Thu, 27 Dec 2001 19:04:44 -0800 (PST)
Received: from cc191573g (cc191573-g.longhill1.md.home.com [24.37.104.136])
	by pr0n.kutulu.org (Postfix) with SMTP
	id 443D8E2; Thu, 27 Dec 2001 22:06:33 -0500 (EST)
Message-ID: <00da01c18f64$635e98d0$88682518@cc191573g>
From: "Kutulu" <kutulu@kutulu.org>
To: "Peter Ong" <peter@haloflightleader.net>, <stable@FreeBSD.ORG>
References: <013a01c18f48$f156cf20$0101a8c0@haloflightleader.net> <00be01c18f62$d67b5b20$88682518@cc191573g> <016001c18f4a$da2fc480$0101a8c0@haloflightleader.net>
Subject: Re: Trying NT Hacks
Date: Thu, 27 Dec 2001 21:56:26 -0800
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

From: "Peter Ong" <peter@haloflightleader.net>
Sent: Thursday, December 27, 2001 6:53 PM


> I guess I'm judging too quickly.  Anyway, there hasn't been a successful
> break in just yet.  Now I'm wondering if there's some extra precautions I
> can take to ensure that a break in doesn't occur.

You already took the really important one: you didn't run IIS :)

On a serious note, though, portscanning entire chunks of the IP space is an
extremely common tactic for kiddies trying to locate exploitable systems.  A
nice firewall that drops packets (on ports you don't need, obviously) helps,
but when you need port 80 open for legitimate anonymous access, there's not
a lot you can do.  Keep your installed apps up to date (portupgrade and
cvsup are godsends here) and keep up with CERT (www.cert.org) and related
security sites.  If you have the space CPU/disk, run something like snort
(/usr/ports/security/snort) to keep an eye on suspicious activity, and in
many cases, drop traffic with suspicious content beyond what an IP filter
can do.  Run as little as possible on your public servers, and especially be
careful giving user accounts on public machines, as local users greatly
increat\se the security risks.

--K


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message