Date: Mon, 22 Jun 2009 08:59:52 -0400 From: Bill Moran <wmoran@potentialtech.com> To: prad <prad@towardsfreedom.com> Cc: freebsd-questions@freebsd.org Subject: Re: backdoor threat Message-ID: <20090622085952.9ef38eab.wmoran@potentialtech.com> In-Reply-To: <20090619183535.006433d1@gom> References: <20090619111234.6883afd2@gom> <20090619143935.6c28be98.wmoran@potentialtech.com> <20090619183535.006433d1@gom>
next in thread | previous in thread | raw e-mail | index | archive | help
In response to prad <prad@towardsfreedom.com>: > > > Sure, there's 1000000000 things. Start by running a nmap scan from a > > different computer and see what ports are open. Investigate each > > program listening on those ports to ensure it's properly secured. > > ok this is really neat! > we did the scan and found what the open ports are. > so the first one we changed was the ssh. > then a friend said he assigns ports that are not used in /etc/services, > so i presume this means for instance if we change the http port, we'll > have to tell our http server to do business on that port? Moving programs to different ports is not a viable security technique. It really only slows down a potential attacker a little bit. My point in suggesting the port scan was for _you_ to know, conclusively, what programs are potential attack vectors. Moving your web server to a different port will make it difficult for people you _want_ to use it to find it. And it won't make it significantly more difficult for attackers. > is this what you mean by ensuring that the program listening on a port > is properly secured? or is there something else? Every program has its own list of steps to secure it. Once you know what programs need to be secured, you can then address each one individually. For example, it seems you've already taken reasonable steps with sshd, by disabling password login and only using keys. You can go a few steps further by ensuring that the only accounts that can login are those that you want to have access, and then installing a program that automatically blocks IPs that have too many failed login attempts. With all programs, you want to make sure that you've got the latest versions that have all known bugs patched. With apache, you should disable modules that you aren't using, and ensure that any interpreters (such as PHP) are limited to only the functionality that is needed. It's also good general practice to configure a packet filter (such as pf or ipfw) that only allows traffic that you know is good. That way, if someone manages to install a trojan, it's neutered because it can't communicate back to its control site. > > Making secure web forms is too complex to discuss in a single email. > > > ok we'll look into this further. we really don't have too many web > forms and the forum software we use is punbb which i think they > (rickard et al) take good care of. Again, make sure you keep this software up to date, so you have the latest bug fixes. Installing portaudit and making sure you get the nightly emails from it is a good idea. -- Bill Moran http://www.potentialtech.com http://people.collaborativefusion.com/~wmoran/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090622085952.9ef38eab.wmoran>