Jayson Vantuyl wrote:
This has been a hit on about seven different machines with vastly
different configurations (some missing everything but SSH) and all
firewalled down to the minimum.
I did not reread the whole thread, so sorry if I'm asking silly
questions, but perhaps it's not a security issue, but a policy issue:
- Have you ever checked your password policies? Are there weak passwords
around that the hacker might use to log in? Or has he / she in any way
managed to get a password in some way?
- Have all passwords of user accounts been changed since the break ins?
- You say, that you're running imap on the server. Can the imap users
log onto the machine or are these accounts completely seperated from the
system accounts? If no, it might be, that the hacker is sniffing the
imap passwords and using them to log onto your machines.
And last but not least: Is the firewall seperated from the servers or
running ON the servers. It's a good advice to lock down the machines
locally using iptables, but I think that doesn't save you a dedicated
firewall. Might be a Debian GNU/Linux or BSD box or even something
commercial.
Regards
Marcel
