Skip site navigation (1)Skip section navigation (2)
Date:      29 Jul 1998 21:38:30 +0200
From:      Benedikt Stockebrand <benedikt@devnull.ruhr.de>
To:        "Show Boat" <showboat@hotmail.com>
Cc:        security@FreeBSD.ORG
Subject:   Re: Post qpopper trauma
Message-ID:  <87g1fksb0p.fsf@devnull.ruhr.de>
In-Reply-To: "Show Boat"'s message of "Tue, 28 Jul 1998 14:11:24 PDT"
References:  <19980728211125.14099.qmail@hotmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
"Show Boat" <showboat@hotmail.com> writes:

> I've looked through the 'last' log extensively.  Again, nothing I cannot 
> account for.  Anyone with potential root access (sudo) logged from an IP 
> I can account for.  

Are you sure that those machines haven't been hacked?


Aside from that, a couple additional suggestions:

- Use "netstat -a -n" to learn about services you don't expect.  And
  don't believe the service numbers in your /etc/services but look
  things up (maybe on an installation CD-ROM?).

- If you have a spare machine (any 386 with some disk space will do),
  make it a secured log host.  IOW, make it close all ports except
  syslog and read logs directly on the console.  And maybe hack up
  some tcpdump stuff on it to see about unexpected things going on.

- Use tripwire to check if any files have been modified.  This
  especially includes configuration files.

- Consider using RCS or CVS for managing your config files.  But keep
  the repositories out of everyones reach.

- Install from scratch.

- When you restore the user home directories etc. check for suid/sgid
  files.

- Install packet filters wherever feasible.


So long,

    Ben

-- 
Ben(edikt)? Stockebrand    Un*x SA
My name and email address are not to be added to any list used for advertising
purposes.  Any sender of unsolicited advertisement e-mail to this address im-
plicitly agrees to pay a DM 500 fee to the recipient for proofreading services.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87g1fksb0p.fsf>