Date: Wed, 13 Dec 2000 11:28:31 -0500 From: mikel <mikel@ocsinternet.com> To: Robert McCallum <robert@cards2talk.com> Cc: misc@openbsd.org, freebsd-security@FreeBSD.ORG Subject: Re: 911 lockdown! Message-ID: <3A37A3AF.E2258877@ocsinternet.com> References: <Pine.BSF.4.21.0012131048420.489-100000@www.freebsdbox.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert, First things first do is calm down. Now do you have access to your router's config? If so set up a few access lists block everything you don't absolutely need. This is not a true fw but it will buy you some time while to regroup. If you want more direct assistance mail me directly and we'll chat... Robert McCallum wrote: > My DNS/MAIL/WEB server was hacked recently, I don't believe they 'rooted' > the server 'yet'. But I do see that they have obtained access to a user > account. It apears they cracked a users account which I found out that one > of my users did not adhere to our security policy and set a password that > was not in accordance to our password policy. > > I did find the crackers address, although he did attempt to clean-up after > himself, he was not very good. > > The machines were up aprox. 1 month and are not behind a firewall as of > yet. The delay of setting up a firewall ( which there is no excuse ) is > due to the fact that we are moving to a new office and leasing bandwidth > from a different service provider. Who is going to assign us a new block > of IP's. Laziness is the cause of this break-in. > > I lack the hardware to setup a firewall/router at this time. the only > thing I can do is firewall the server itself. I have already wrapped and > disallowed access to many services from outside our subnet, but this does > not seem to be sufficient since so ports are still open and can be > accessed such as, X11 on 6000, SMTP 25, IMAP on 143, etc. I also noticed > that on port 587 the service named 'submission' is open ... and when I > telnet to it ... It starts a sendmail shell like port 25. Is this > normal? I don't remember seeing this before. > > In conclusion, I need to setup a firewall on that particular host ASAP. I > have read a lot of documentation on firewalls and internet security which > I do understand. However, I am not exp. with IP FILTER or IPFW. > > I have one NIC in my box with that address of (example address)208.202.32.3 > and have 2 other IP's binded to the same interface. (IP Aliasing) > > Being that time is of the essence here, I do not have the time to readup > on firewall rules right now, I would be eternally grateful for some help > with the rules I need in order to filter the following ports and close all > others. > > Port State Service > 21/tcp open ftp > 22/tcp open ssh > 25/tcp open smtp > 53/tcp open domain > 80/tcp open http > 110/tcp open pop-3 > 111/tcp open sunrpc > 143/tcp open imap2 > 587/tcp open submission > 3306/tcp open mysql > 6000/tcp open X11 > > ftp and ssh are wrapped (I know, not a good idea to wrap ssh.) In this > case I had to. > > I am sure I can figure out how to setup IPFILTER as long as I have the > correct rules. However it would be helpfule to have a very fast run down > of the steps I need to take in order to get it running. > > thanks a lot for taking the time to read this... > > -robert > > please CC: me a copy of any replies. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A37A3AF.E2258877>