In the absence of this, keeping an eye on what the box is doing is a close

Well if you do, I'll recommend bind 9.2.x for the job unless there's a
better version out there by that time ;)

Last count of remote exploits: bind-8.x, lots. bind-9.x, none.

You might be better off with `rsync -e ssh' and passphraseless keys,
depending on exactly how immediate you want change notifications to

You should definitely consider the relationship between your servers in the
firewall design - at the very least I'd say portmap+nfs is permitted *IFF*
you firewall down to the two machines. But preferably, don't do it at all.

If you were running samba out of xinetd, you'll probably want to disable
the relevant services in /etc/xinetd.conf (and reload xinetd).

You might want to check for a firewall between your workstation and the
server in question dropping port 6346 specifically - in fact, if you really
want to be sure, run tcpdump on the server while you nmap it for
-p6345-6347 (a range crossing the port in question) and see if port 6346 is
scanned at all - if not, it's an outgoing firewall getting in your way :)

... you can log the results into mysql and run _Acid_ against it, too. That
generates pretty-picture html overviews and stuff.

That would also explain it :8)

Well if nothing else, you can use _iptraf_ in per-port summary mode :)

Choose what hashes you maintain for which directory very carefully. I have
separate settings for:

    =/boot$ Binlib
    # Binaries
    /bin Binlib
    /sbin Binlib
    /usr/bin Binlib
    /usr/sbin Binlib
    /usr/local/bin Binlib
    /usr/local/sbin Binlib
    /usr/games Binlib
    # Libraries
    /lib Binlib
    /usr/lib Binlib
    /usr/local/lib Binlib
    # Log files
    /var/log$ StaticDir
    /var/log/aide/aide.log(.[0-9])?(.gz)? Databases
    /var/log/aide/error.log(.[0-9])?(.gz)? Databases
    /var/log/setuid.changes(.[0-9])?(.gz)? Databases
    /var/log Logs
    # Devices
    /dev Devices
    # Other miscellaneous files
    /var/run$ StaticDir

if it helps :)

> >and dns dangling around all over the place, nor will you be aware what's
> >going off if you don't start firewalling things properly and keep a
> >close eye on your IDS.
> I'll read up on IPtables.

Definitely. <http://netfilter.samba.org/> is one possible starting point;
I'd also recommend <http://www.linuxsecurity.com/> and search the latter
for the comp.os.linux.security FAQ.

> BTW, I just off the phone with my host. They said that as long as I'm on
> the case and take it seriously, they're cool. Besides, the Gnutella port
> is somewhat limited, so it is limited what kind of damage intruders can
> do through that port.

They sound like sensible folks to me :)


