From owner-freebsd-security Wed Dec 13 8:29:36 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 08:29:33 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from apollo.ocsny.com (apollo.ocsny.com [204.107.76.2]) by hub.freebsd.org (Postfix) with ESMTP id 2F20437B402 for ; Wed, 13 Dec 2000 08:29:33 -0800 (PST) Received: from ocsinternet.com (fw234.ocsny.com [204.107.76.234]) by apollo.ocsny.com (8.9.2/8.9.3) with ESMTP id LAA01868; Wed, 13 Dec 2000 11:29:53 -0500 (EST) Message-ID: <3A37A3AF.E2258877@ocsinternet.com> Date: Wed, 13 Dec 2000 11:28:31 -0500 From: mikel X-Mailer: Mozilla 4.73 [en] (Windows NT 5.0; I) X-Accept-Language: en MIME-Version: 1.0 To: Robert McCallum Cc: misc@openbsd.org, freebsd-security@FreeBSD.ORG Subject: Re: 911 lockdown! References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert, First things first do is calm down. Now do you have access to your router's config? If so set up a few access lists block everything you don't absolutely need. This is not a true fw but it will buy you some time while to regroup. If you want more direct assistance mail me directly and we'll chat... Robert McCallum wrote: > My DNS/MAIL/WEB server was hacked recently, I don't believe they 'rooted' > the server 'yet'. But I do see that they have obtained access to a user > account. It apears they cracked a users account which I found out that one > of my users did not adhere to our security policy and set a password that > was not in accordance to our password policy. > > I did find the crackers address, although he did attempt to clean-up after > himself, he was not very good. > > The machines were up aprox. 1 month and are not behind a firewall as of > yet. The delay of setting up a firewall ( which there is no excuse ) is > due to the fact that we are moving to a new office and leasing bandwidth > from a different service provider. Who is going to assign us a new block > of IP's. Laziness is the cause of this break-in. > > I lack the hardware to setup a firewall/router at this time. the only > thing I can do is firewall the server itself. I have already wrapped and > disallowed access to many services from outside our subnet, but this does > not seem to be sufficient since so ports are still open and can be > accessed such as, X11 on 6000, SMTP 25, IMAP on 143, etc. I also noticed > that on port 587 the service named 'submission' is open ... and when I > telnet to it ... It starts a sendmail shell like port 25. Is this > normal? I don't remember seeing this before. > > In conclusion, I need to setup a firewall on that particular host ASAP. I > have read a lot of documentation on firewalls and internet security which > I do understand. However, I am not exp. with IP FILTER or IPFW. > > I have one NIC in my box with that address of (example address)208.202.32.3 > and have 2 other IP's binded to the same interface. (IP Aliasing) > > Being that time is of the essence here, I do not have the time to readup > on firewall rules right now, I would be eternally grateful for some help > with the rules I need in order to filter the following ports and close all > others. > > Port State Service > 21/tcp open ftp > 22/tcp open ssh > 25/tcp open smtp > 53/tcp open domain > 80/tcp open http > 110/tcp open pop-3 > 111/tcp open sunrpc > 143/tcp open imap2 > 587/tcp open submission > 3306/tcp open mysql > 6000/tcp open X11 > > ftp and ssh are wrapped (I know, not a good idea to wrap ssh.) In this > case I had to. > > I am sure I can figure out how to setup IPFILTER as long as I have the > correct rules. However it would be helpfule to have a very fast run down > of the steps I need to take in order to get it running. > > thanks a lot for taking the time to read this... > > -robert > > please CC: me a copy of any replies. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message