From owner-freebsd-security@FreeBSD.ORG Tue Jan 27 12:29:09 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF54E16A4CE for ; Tue, 27 Jan 2004 12:29:09 -0800 (PST) Received: from monkeytest.eng.utah.edu (mailhub.eng.utah.edu [155.99.222.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 793D043D7B for ; Tue, 27 Jan 2004 12:28:23 -0800 (PST) (envelope-from ogden@navi.eng.utah.edu) Received: from navi.eng.utah.edu (navi.eng.utah.edu [155.99.222.27]) i0RKS3BW015620; Tue, 27 Jan 2004 13:28:03 -0700 (MST) Received: from navi.eng.utah.edu (localhost.localdomain [127.0.0.1]) by navi.eng.utah.edu (8.12.8/8.12.8) with ESMTP id i0RKS2MV019292; Tue, 27 Jan 2004 13:28:02 -0700 Received: (from ogden@localhost) by navi.eng.utah.edu (8.12.8/8.12.8/Submit) id i0RKS2nP019290; Tue, 27 Jan 2004 13:28:02 -0700 Date: Tue, 27 Jan 2004 13:28:02 -0700 From: Mark Ogden To: Peter Rosa Message-ID: <20040127202802.GA19276@navi.eng.utah.edu> References: <003001c3e4f4$dbba7910$3501a8c0@peter> <20040127165741.GA1700@sheol.localdomain> <002801c3e513$774a4040$3501a8c0@peter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <002801c3e513$774a4040$3501a8c0@peter> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: Possible compromise ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jan 2004 20:29:09 -0000 Peter Rosa on Tue, Jan 27, 2004 at 09:23:45PM +0100 wrote: > OK, sorry for unclear previous message. > > In the past, one man teached me the FreeBSD basics and also installed my > gateway. In that time, I was not able to install and setup FreeBSD by > myself. He left there some holes - e.g. open virtual consoles, unset > firewall, etc. As the time went, I learned a lot about Unixes and FreeBSD > and I tried to setup my own firewall, install and setup some programs (with > big help of this and Questions lists, manpages and other books). > > When I tried to setup more security on that system, except other things, I > disabled all virtual tty's, because there is no need to connect to this > machine remotelly (it's located 5 steps from my desk). In the past, that man > connected to my system remotely from various IPs. > > Now, when I cat /var/log/lastlog, in the very bottom of the file, I can read > some connects from remote machines to ttyp0 and ttyp1. take a look at the /var/log/auth.log, it will show you everyone that remote connected and was denied. -Mark >It's impossible for > me to retrieve connection dates from that file. Of course, I read man last, > man wtmp, etc., but there is nothing about /var/log/lastlog file. > > May be, that lines was added in the deep past, when the machine was open. > But may be, it was done in few previous days... > > I know, if my machine was compromised, it is impossible to believe in > anything on that machine (also kernel, sources). So, are there some other > ways to get information about connection dates? > > Peter Rosa > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"