From owner-freebsd-questions  Mon Aug  3 19:45:28 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id TAA17962
          for freebsd-questions-outgoing; Mon, 3 Aug 1998 19:45:28 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from www.schell.de ([195.20.238.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA17955
          for <freebsd-questions@FreeBSD.ORG>; Mon, 3 Aug 1998 19:45:19 -0700 (PDT)
          (envelope-from sas@schell.de)
Received: from guerilla.foo.bar (hennen21.iserlohn.netsurf.de [194.195.194.213])
	by www.schell.de (8.9.0/8.9.0) with ESMTP id EAA20152;
	Tue, 4 Aug 1998 04:45:08 +0200
Received: from localhost (localhost.foo.bar [127.0.0.1])
	by guerilla.foo.bar (8.9.1/8.9.1) with SMTP id EAA00754;
	Tue, 4 Aug 1998 04:45:00 +0200 (CEST)
Date: Tue, 4 Aug 1998 04:45:00 +0200 (CEST)
From: Sascha Schumann <sas@schell.de>
To: Frank Griffith <frankg@idfw.com>
cc: freebsd-questions@FreeBSD.ORG
Subject: Re: Security
In-Reply-To: <001801bdbf32$6b8cc6e0$0200a8c0@fast1.dfw.com>
Message-ID: <Pine.BSF.4.01.9808040405190.380-100000@guerilla.foo.bar>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, 3 Aug 1998, Frank Griffith wrote:

> I have FreeBSD 2.2.6 running and I connect to the Internet 
> using a dynamic connection. For kicks, I run Apache 1.3.0 
> web server on this same unit. It appears that while I've been 
> testing my server, some bozo came in and used sendmail 
> to send some rough and threatening e-mail to someone. My 
> ISP even cancelled my account until I proved I had nothing 
> to do with it.
> 
> If someone came in, unathorized that is, and used 
> my mail server to send mail, which log file would show me 
> this intrusion?  How can I prevent this from happening again?

/var/log/maillog and the headers of the emails.

You can prevent this and other attacks by setting up a simple firewall on
your system. There are some examples provided in /etc/rc.firewall, so the
easiest thing to get a quick and dirty protection:

  o recompile the kernel with options IPFIREWALL and IPDIVERT
  o enable the firewall and set the type to simple or client in /etc/rc.conf
  o edit /etc/rc.firewall and look/create the setup which suits your
    needs

I didn't use it myself up to now, so the above is probably incomplete. ;)

Greetz,
             Sascha


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message