From owner-freebsd-questions@FreeBSD.ORG Mon Jun 22 12:59:54 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A3CBD106566C for ; Mon, 22 Jun 2009 12:59:54 +0000 (UTC) (envelope-from wmoran@potentialtech.com) Received: from mail.potentialtech.com (internet.potentialtech.com [66.167.251.6]) by mx1.freebsd.org (Postfix) with ESMTP id 7465E8FC13 for ; Mon, 22 Jun 2009 12:59:54 +0000 (UTC) (envelope-from wmoran@potentialtech.com) Received: from vanquish.ws.pitbpa0.priv.collaborativefusion.com (pr40.pitbpa0.pub.collaborativefusion.com [206.210.89.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.potentialtech.com (Postfix) with ESMTPSA id 7559FEBC0A; Mon, 22 Jun 2009 08:59:53 -0400 (EDT) Date: Mon, 22 Jun 2009 08:59:52 -0400 From: Bill Moran To: prad Message-Id: <20090622085952.9ef38eab.wmoran@potentialtech.com> In-Reply-To: <20090619183535.006433d1@gom> References: <20090619111234.6883afd2@gom> <20090619143935.6c28be98.wmoran@potentialtech.com> <20090619183535.006433d1@gom> X-Mailer: Sylpheed 2.6.0 (GTK+ 2.14.7; i386-portbld-freebsd7.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: backdoor threat X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jun 2009 12:59:54 -0000 In response to prad : > > > Sure, there's 1000000000 things. Start by running a nmap scan from a > > different computer and see what ports are open. Investigate each > > program listening on those ports to ensure it's properly secured. > > ok this is really neat! > we did the scan and found what the open ports are. > so the first one we changed was the ssh. > then a friend said he assigns ports that are not used in /etc/services, > so i presume this means for instance if we change the http port, we'll > have to tell our http server to do business on that port? Moving programs to different ports is not a viable security technique. It really only slows down a potential attacker a little bit. My point in suggesting the port scan was for _you_ to know, conclusively, what programs are potential attack vectors. Moving your web server to a different port will make it difficult for people you _want_ to use it to find it. And it won't make it significantly more difficult for attackers. > is this what you mean by ensuring that the program listening on a port > is properly secured? or is there something else? Every program has its own list of steps to secure it. Once you know what programs need to be secured, you can then address each one individually. For example, it seems you've already taken reasonable steps with sshd, by disabling password login and only using keys. You can go a few steps further by ensuring that the only accounts that can login are those that you want to have access, and then installing a program that automatically blocks IPs that have too many failed login attempts. With all programs, you want to make sure that you've got the latest versions that have all known bugs patched. With apache, you should disable modules that you aren't using, and ensure that any interpreters (such as PHP) are limited to only the functionality that is needed. It's also good general practice to configure a packet filter (such as pf or ipfw) that only allows traffic that you know is good. That way, if someone manages to install a trojan, it's neutered because it can't communicate back to its control site. > > Making secure web forms is too complex to discuss in a single email. > > > ok we'll look into this further. we really don't have too many web > forms and the forum software we use is punbb which i think they > (rickard et al) take good care of. Again, make sure you keep this software up to date, so you have the latest bug fixes. Installing portaudit and making sure you get the nightly emails from it is a good idea. -- Bill Moran http://www.potentialtech.com http://people.collaborativefusion.com/~wmoran/