Date: 29 Jul 1998 21:38:30 +0200 From: Benedikt Stockebrand <benedikt@devnull.ruhr.de> To: "Show Boat" <showboat@hotmail.com> Cc: security@FreeBSD.ORG Subject: Re: Post qpopper trauma Message-ID: <87g1fksb0p.fsf@devnull.ruhr.de> In-Reply-To: "Show Boat"'s message of "Tue, 28 Jul 1998 14:11:24 PDT" References: <19980728211125.14099.qmail@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Show Boat" <showboat@hotmail.com> writes:
> I've looked through the 'last' log extensively. Again, nothing I cannot
> account for. Anyone with potential root access (sudo) logged from an IP
> I can account for.
Are you sure that those machines haven't been hacked?
Aside from that, a couple additional suggestions:
- Use "netstat -a -n" to learn about services you don't expect. And
don't believe the service numbers in your /etc/services but look
things up (maybe on an installation CD-ROM?).
- If you have a spare machine (any 386 with some disk space will do),
make it a secured log host. IOW, make it close all ports except
syslog and read logs directly on the console. And maybe hack up
some tcpdump stuff on it to see about unexpected things going on.
- Use tripwire to check if any files have been modified. This
especially includes configuration files.
- Consider using RCS or CVS for managing your config files. But keep
the repositories out of everyones reach.
- Install from scratch.
- When you restore the user home directories etc. check for suid/sgid
files.
- Install packet filters wherever feasible.
So long,
Ben
--
Ben(edikt)? Stockebrand Un*x SA
My name and email address are not to be added to any list used for advertising
purposes. Any sender of unsolicited advertisement e-mail to this address im-
plicitly agrees to pay a DM 500 fee to the recipient for proofreading services.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87g1fksb0p.fsf>