This afternoon (4pm EST) I was doing some maintenance work on our server and suddenly my ssh telnet session dropped. Attempts at reconnecting yielded a "certificate missing" error. FTP, HTTP, and our email services (dovecot with amavisd/clamd/spamassassin and postfix with secure ldap) were slowing to a crawl. It was very fortunate that I noted the issue, otherwise we might be "toast".
Our ISP got involved quickly, shut off all outside connections, and found that user "amavis" through a shell account had installed a new ssh client in /tmp, launched it, logged in, and then was apparently scanning to find the root password for the server. Yikes! It appears that the user amavis was not sent to /bin/false but instead /bin/sh! We changed that right away. I am now working through the security suggestions for amavisd but would appreciate any knowledgeable feedback (anyone here is way above my own) on this to make sure that such an erroneous configuration could lead to this issue. /mark ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
