-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear all,
Please accept my apologies for not lurking. I got my first own server box in server-hosting last week, and I thought I configured it well, but it appears to be cracked allready. :-( Well, I'm a real newbie, and so I'm having a steep learning curve. At least I can't remember installing gnutella on it, yet, nmap says it runs there... So I'm seeking advice. To address this first: It is the gnutella server that causes alarm, so is there anything I could have done that would install gnutella but escape my attention? I certainly never did apt-get install gnutella (I tried apt-get remove gnutella yesterday, with no effect). Is it likely that if I don't know how it got there, has been installed by a cracker? I've tried to telnet 217.77.32.186 6346 but get no connection. The story is that I installed Woody on three boxes, two workstations, and a server, starting at the beginning of may, using my old University network and installing most of it from network. I read most of "Securing Debian Manual". I disregarded most of the stuff that had to do with people having physical access to the box, that shouldn't represent a threat. I disabled everything that had to do with cleartext passwords. I must admit that I left fingerd, and that I export some NFS-things. I have shadow passwords and MD5 passwords. I also have inetd. I didn't really understand that much of the PAM stuff, but there aren't going to be many users on this system, and all users will be able to perform the same tasks. I tried to set the suggested PermitRootLogin for ssh to no, but ssh gave me some messsage that I thought meant it did't recognize it. Besides, updating stuff would be hard so I have sshed to the root account many times. I complied in IPtables in the kernel, but I haven't read up on how to use it. I have also installed some of the harden packages. Last night, I thought my system was running quite well, though I had noticed gnutella running. I figured it was time to run nessus, so I did. It seems to report many holes, some holes that I guess would be exploitable. I put the report on <URL: http://www.astro.uio.no/~kjetikj/tmp/pooh-nessus-2002-22-05.html > I first made sure these ~/.qpopper-options wouldn't be read, so that's taken care of. There are lots of complaints about OpenSSH there, and the SMTP server (Exim). So, what to do about these things...? If it has been cracked, what should I do? I could run up to my hosts and have them turn it off, I guess. But then what? I have really no clue what happened, and while I could turn off some more services, it seems like the biggest security problems are with ssh and smtp, that is, OpenSSH and Exim, so would a clean reinstall help a lot? Unfortunately, I can't report a break-in to the police. The computer crime police here in Norway has a political agenda I despice, and I don't want to give them any legitimacy. Best, Kjetil - -- Kjetil Kjernsmo Recent astrophysics graduate Problems worthy of attack University of Oslo, Norway Prove their worth by hitting back E-mail: [EMAIL PROTECTED] - Piet Hein Homepage <URL:http://folk.uio.no/kjetikj/> [EMAIL PROTECTED] OpenPGP KeyID: 6A6A0BBC -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (OSF1) Comment: For info see http://www.gnupg.org iD8DBQE87QV/lE/Gp2pqC7wRAnOwAKClkxaNInxG+/59Z+67CmyY6vzJyQCgmHl5 dXGHMoenwxKHE2bQZQWI308= =VSU4 -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
