From owner-freebsd-security Wed Dec 13 8:14:41 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 08:14:39 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from www.freebsdbox.com (unknown [216.199.94.2]) by hub.freebsd.org (Postfix) with ESMTP id 6C01F37B400 for ; Wed, 13 Dec 2000 08:14:38 -0800 (PST) Received: from localhost (robert@localhost) by www.freebsdbox.com (8.11.1/8.11.1) with ESMTP id eBDGItl00559; Wed, 13 Dec 2000 11:18:56 -0500 (EST) (envelope-from robert@cards2talk.com) Date: Wed, 13 Dec 2000 11:18:55 -0500 (EST) From: Robert McCallum X-Sender: robert@www.freebsdbox.com To: misc@openbsd.org Cc: freebsd-security@freebsd.org Subject: 911 lockdown! Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org My DNS/MAIL/WEB server was hacked recently, I don't believe they 'rooted' the server 'yet'. But I do see that they have obtained access to a user account. It apears they cracked a users account which I found out that one of my users did not adhere to our security policy and set a password that was not in accordance to our password policy. I did find the crackers address, although he did attempt to clean-up after himself, he was not very good. The machines were up aprox. 1 month and are not behind a firewall as of yet. The delay of setting up a firewall ( which there is no excuse ) is due to the fact that we are moving to a new office and leasing bandwidth from a different service provider. Who is going to assign us a new block of IP's. Laziness is the cause of this break-in. I lack the hardware to setup a firewall/router at this time. the only thing I can do is firewall the server itself. I have already wrapped and disallowed access to many services from outside our subnet, but this does not seem to be sufficient since so ports are still open and can be accessed such as, X11 on 6000, SMTP 25, IMAP on 143, etc. I also noticed that on port 587 the service named 'submission' is open ... and when I telnet to it ... It starts a sendmail shell like port 25. Is this normal? I don't remember seeing this before. In conclusion, I need to setup a firewall on that particular host ASAP. I have read a lot of documentation on firewalls and internet security which I do understand. However, I am not exp. with IP FILTER or IPFW. I have one NIC in my box with that address of (example address)208.202.32.3 and have 2 other IP's binded to the same interface. (IP Aliasing) Being that time is of the essence here, I do not have the time to readup on firewall rules right now, I would be eternally grateful for some help with the rules I need in order to filter the following ports and close all others. Port State Service 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop-3 111/tcp open sunrpc 143/tcp open imap2 587/tcp open submission 3306/tcp open mysql 6000/tcp open X11 ftp and ssh are wrapped (I know, not a good idea to wrap ssh.) In this case I had to. I am sure I can figure out how to setup IPFILTER as long as I have the correct rules. However it would be helpfule to have a very fast run down of the steps I need to take in order to get it running. thanks a lot for taking the time to read this... -robert please CC: me a copy of any replies. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message