There are many known hacks in BIND. I'd investigate that. - make sure you have the latest bind version. - chroot your bind install - suid you bind daemon - not give them any access to any system commands (ssh, telnet, etc) when you chroot - restrict connections at the firewall that can be made both from and to this DNS server
----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, February 22, 2002 6:43 AM Subject: Security breach?? > I've got a strong pb and would like to have any opinion.... specialist, > HELP!! > > I've iptabes working fine since many 8 months but since some days stranges > things appears. > The main is today's : > I've got a internal nated network with one DNS server in a pseudo-dmz > (private ip) with SSH install on it. > SSH is seted up allowing only DSA auth. > > The iptables gateway allow only the DNS (udp) traffic to be DNATed throught > the DNS server. Not the SSH, used only internally, and nothing else UDP 53 > packet. > > However, the forward chain log me many and many packets wich come from my > DNS server port 22 to a public external ip. > Since i've not allowed such a connection in my forward chain neither in the > DNAT table, i don't understand how such a behaviour could be happen. > > Is it an intrususion? > To stop this, i stoped the ssh demaon on the DNS server, but i would like > to know what happened. > > Thanks for your help > Vincent > > > >
