Tom,
I've been doing network security for a few years, and I have found
several things to be very valuable:
Obviously, you need to wipe the box out and reinstall from scratch. A
compromised box can't be "fixed". After you have reinstalled, I
reccommend getting Bastille-Linux (http://www.bastille-linux.org), which
is a set of hardening scripts that will lock down a box pretty well.
Also, if this system is only going to be a firewall and nothing else,
then I suggest setting it up to send it's logs to another box and making
it a read-only system using MedusaDS9 (http://medusa.fornax.sk/). I also
suggest using all three parts of the abacus-project: Logcheck,
port-sentry, and host-sentry (http://www.psionic.com/abacus/). Logcheck
scrapes the log in whatever interval you want (I do it hourly) and
e-mails/pages/whatever a pre-defined person with any security
violations. Port-sentry watches ports that shouldn't be in use and
blocks IP addresses when they attemt to connect to them. Host-sentry is
like Tripwire. It takes a snapshot of your system and makes sure that it
stll looks the same periodically.
If there is any remote access to the system, I suggest using OpenSSH
with keys rather than passwords.
Some other tricks I have found useful:
Have more than one firewall script and run them often. I have five
scripts, all in different places, all with very different naming
conventions, and I run one every 20 minutes. That way, if one is
altered, it will be replaced shortly, and there is enough time to notice
a problem.
Have your firewall scripts called from unmounted filesystems. Have a
script in cron that mounts the file system then runs the firewall
script, then unmounts it again.
Just some thoughts off the top of my head.....
Kenny
--
Kenny Lussier
Systems Administrator
Mission Critical Linux
***********************************************************
Life is a lesson, you learn it at the end
Reality has become increasingly less accurate
***********************************************************
> Tom Laurie wrote:
>
> I just heard how hackers were focusing on cable systems by placing
> "Zombie" programs on the computers behind the cable. If you got one
> of these placed on your system you wouldn't notice it, but your
> computer could be used to go out and hack other computers. It is also
> virtually impossible to trace the Zombie program back to the
> originator.
>
> I've helped a little with other gnhlug members to set up Concord
> Christian's Linux box connected to their Mediaone cable running
> IPChains. They got a call from ATT Broadband yesterday saying that
> their computer was being used to hack into other computers and sure
> enough, when you reboot their server it says Zombie at some point.
>
> Does anyone know how to clean the Zombie off of their server?
>
>
> Once it is off, how can I protect against it ?
>
>
> Tom Laurie
> NH Office of Emergency Management
> Systems Manager
> 603 223-3617
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
