Date: 29 Jul 1998 21:38:30 +0200 From: Benedikt Stockebrand <benedikt@devnull.ruhr.de> To: "Show Boat" <showboat@hotmail.com> Cc: security@FreeBSD.ORG Subject: Re: Post qpopper trauma Message-ID: <87g1fksb0p.fsf@devnull.ruhr.de> In-Reply-To: "Show Boat"'s message of "Tue, 28 Jul 1998 14:11:24 PDT" References: <19980728211125.14099.qmail@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Show Boat" <showboat@hotmail.com> writes: > I've looked through the 'last' log extensively. Again, nothing I cannot > account for. Anyone with potential root access (sudo) logged from an IP > I can account for. Are you sure that those machines haven't been hacked? Aside from that, a couple additional suggestions: - Use "netstat -a -n" to learn about services you don't expect. And don't believe the service numbers in your /etc/services but look things up (maybe on an installation CD-ROM?). - If you have a spare machine (any 386 with some disk space will do), make it a secured log host. IOW, make it close all ports except syslog and read logs directly on the console. And maybe hack up some tcpdump stuff on it to see about unexpected things going on. - Use tripwire to check if any files have been modified. This especially includes configuration files. - Consider using RCS or CVS for managing your config files. But keep the repositories out of everyones reach. - Install from scratch. - When you restore the user home directories etc. check for suid/sgid files. - Install packet filters wherever feasible. So long, Ben -- Ben(edikt)? Stockebrand Un*x SA My name and email address are not to be added to any list used for advertising purposes. Any sender of unsolicited advertisement e-mail to this address im- plicitly agrees to pay a DM 500 fee to the recipient for proofreading services. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87g1fksb0p.fsf>