From owner-freebsd-security Wed Dec 13 8:32:53 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 08:32:48 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id C72DD37B400 for ; Wed, 13 Dec 2000 08:32:47 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id RAA67233; Wed, 13 Dec 2000 17:32:35 +0100 (CET) (envelope-from des@ofug.org) Sender: des@ofug.org X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Robert McCallum Cc: misc@openbsd.org, freebsd-security@FreeBSD.ORG Subject: Re: 911 lockdown! References: From: Dag-Erling Smorgrav Date: 13 Dec 2000 17:32:35 +0100 In-Reply-To: Robert McCallum's message of "Wed, 13 Dec 2000 11:18:55 -0500 (EST)" Message-ID: Lines: 72 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Robert McCallum writes: > [...] Ideally, you should reinstall the entire system from a trusted source (preferably an original CD-ROM). That said, I'll give you a few hints about your open ports: > Port State Service > 21/tcp open ftp Only allow anonymous logins, if any (add the -A option to the ftpd line in inetd.conf) > 22/tcp open ssh Edit /etc/ssh/sshd_config to specify which hosts are allowed to connect. > 25/tcp open smtp If you don't need it, set sendmail_flags to "-q30m" so it won't listen for incoming connections but still running the queue (so you can send mail but not receive) > 53/tcp open domain Is this machine a name server? If it's not, disable named in /etc/rc.conf. If you just want a caching nameserver, edit /etc/namedb/named.conf and set listen-on to 127.0.0.1 - but if at all possible, avoid doing even that. > 80/tcp open http Is this machine a web server? > 110/tcp open pop-3 Wrap it, and make sure the pop server software is up-to-date, most pop daemons are notoriously insecure. > 111/tcp open sunrpc You don't need this. Add portmap_enable="NO" to /etc/rc.conf. > 143/tcp open imap2 Same comments as for pop3. If possible, use Cyrus, most other imap servers are notoriously insecure. > 587/tcp open submission This is probably a back door the intruder left behind. Use sockstat(1) to determine which process owns the socket, and kill it (and make sure it doesn't restart when you reboot) > 3306/tcp open mysql Does that machine really need to run mysql? If yes, does it really need to accept TCP connections? Refer to the mysql documentation for information on how to prevent it from listening for TCP connections. > 6000/tcp open X11 Why are you running X on a server? If you really must (you don't, but I won't argue the case), edit whatever script you use to start X to add the '-nolisten tcp' option to the server command line. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message