tomasz abramowicz wrote: > kevin bailey wrote: >> hi, >> >> was recently rootkitted on a debian machine because i'd left an obscure >> service running. > > which one? >
i though it was webmin - but now i'm not so sure - i thought there was a vulnerability in webmin in 2005 which was not in the debian security list - but now i can't find it. >> 2. firewall >> not i'm not sure about the need for a firewall - i may need to access the >> server over ssh from anywhere. also, to run FTP doesn't the server need >> to be able to open up a varying number of ports. > > hmm. you could look into port knocking for your ssh problem. > ftp server can be configured to use only 21tcp and 20tcp (ftp,ftp-data) > (requires configuring clients active/passive mode) > will check this out definitely - it means that i can implement a firewall which only has certain ports open. >> BTW - FTP *has* to be available - many of the users only know how to use >> FTP. > hmm, a wide range of clients on all systems is begining to implement > scp/sftp, its worth *forcing* on users, in some sceanario's its not as > scary as it might seem. > >> currently - i see no compelling need to set up a firewall - especially >> since if i get it wrong i could lose access to the machine. > > no right attitude. > your compelling need is established by: > 1. you just got rootkited onto a port which couldve been closed. > 2. your going to be hooked up to internet. > >> so, use something like nmap to test for open ports on a remote machine. >> make sure only required services are running. > > absolutely. with and without the firewall running, scan everything. > >> run snort to check for attacks. > > this can get really annoying=not useful, especially when you decide > snort should also send you alerts via email or sms. > i would suggest you leave this to very last. > and if you do set it up, make sure to check out the 'acid' interface.. > has been noted - i'll check it out. > hth, > t. > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]