Date: Tue, 19 Dec 2000 14:00:32 -0600 (CST) From: Guy Helmer <ghelmer@palisadesys.com> To: admin <admin@pacex.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Securing FreeBSD against hacking Message-ID: <Pine.LNX.4.21.0012191349360.739-100000@magellan.palisadesys.com> In-Reply-To: <000e01c069e8$d30dccc0$f46fbdd1@pacex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 19 Dec 2000, admin wrote: > I am running a FreeBSD 4.2-STABLE (recently upgraded machines) for web > (Apache-1.39)mail (Qmail-1.03 sendmail-8.11.1). I have recently seen > some activities on the web server that make me very nervous (I know I > am being very general) but my concern is: > > 1. How do I setup a dedicated machine to collect data and connection > attempts to my machines I'd suggest building a FreeBSD 4-stable machine with SNORT installed and all the network services turned off. Get the current SNORT rulelist from www.snort.org, and configure SNORT to use the current rulelist. Hook this machine up to the same network segment and see if SNORT finds anything unusual. > 2. How to implement a notification systems to alert when critical > files on the server have been tampered with. Someone else suggested that you install and use tripwire on your server machine, which is a great idea if you know that machine is clean. > 3. How to find out if my machines are REALY CLEAN (some sort of > software auditing to determine if what is already in the machines is a > good benchmark for future security audits) Use mtree(8) to check the md5 hashes of your system's binaries against the original 4.2 release (I haven't tried it, but I believe you can run "mtree -K md5digest" and compare the results against the *.mtree files in the release). To make sure the machine is REALLY CLEAN, backup the data, wipe the disks, reinstall, and reload the data... Guy -- Guy Helmer, Ph.D. Sr. Software Engineer, Palisade Systems --- ghelmer@palisadesys.com http://www.palisadesys.com/~ghelmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.21.0012191349360.739-100000>