I found an the address of someone that was running some services they
shouldn't have tried to run. Not only did my mail server get hacked but
an attempt was made on my primary dns server as well. I found an IP that
repeatedly tried using telnet and finger as well as ftp. How do I find
who owns it? Tried an nslookup with no luck. Tried a ping with no luck.
Traceroute turns up a bunch of other IP address in that subnet with no
domain name. Any ideas?
TIA
jeff
-----Original Message-----
From: Jeff Hogg [SMTP:[EMAIL PROTECTED]]
Sent: Wednesday, December 08, 1999 1:53 PM
To: [EMAIL PROTECTED]
Subject: Re: Got hacked, need to make sure it doesn't happen again
-----Original Message-----
From: Jeff Graves <[EMAIL PROTECTED]>
To: '[EMAIL PROTECTED]' <[EMAIL PROTECTED]>
Date: Wednesday, December 08, 1999 12:31 PM
Subject: Got hacked, need to make sure it doesn't happen again
>My mail server got hacked last night. I guess i was asking for it
though. I
>didn't really do any security checks close any ports. In fact I just
>installed everything and left everything open. At any rate, i came in
this
>morning and everything wasn't working. I had to reinstall and setup
>sendmail and the pop3 service all over again. And add all the users. It
>took about 3 hours. I was just wondering if anyone can tell me what logs
i
>should monitor all the time and what i need to shut off. I reinstalled
the
>server using the bare minimum. It has sendmail, the linux kernel,
apache,
>some ftp services, and a couple of other things. Other than than, it's
>empty. I needed apache because i want to run some sort of Internet front
>end for my users so they can check their mail. Anyway, i have a few
books
>I'm tearing apart doing everything i can but I figured first-hand tech
>knowledge is probably the best adivce. Any help?
That had to hurt.. I'm about to open my own site here, and I've been
working
on learning what your trying to learn as well. I don't know enough to be
called an expert, but it can't hurt to start somewhere. I would suggest
a
careful writting of your hosts.allow and hosts.deny files. I would also
suggest downloading and installing ipchains. I think you can get an rpm
from most redhat mirrors. I've got a ip masqueraded LAN set up here in
my
office and have had to apply some security to the linux box I use as a
"router". It's set up with only those services I have a need for. It
has a
hosts.deny of ALL:ALL and a hosts. allow of ALL:10.0.0. and
ALL:127.0.0.1
to allow the local lan and the localhost to use those services. I also
set
up ipchains to do the following:
deny all ip forwarding by default.
allow ip forwarding for just my local lan
I deny all connection attempts comming into my modem.
The ipchains rules are fairly simple to use and seem very effective. I
have
had no attempts succeed against this system so far. Hopefully that state
will continue. I think it is a bit harder with a true server where ports
need to be open, but you can still restrict entry to just those ports,
and
stop others from pretending to be a machine on your network. I hope this
helps. Others will probably add a lot more :)
Jeff Hogg
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
