Possibly, but it looks like an SSH connection either way. I'd worry less about what the connection is and more how it got there and plug that hole. Once that's plugged, you won't have to worry about it. :)
----- Original Message ----- From: "LuisMi" <[EMAIL PROTECTED]> To: "Jason Pappas" <[EMAIL PROTECTED]> Sent: Friday, February 22, 2002 9:31 AM Subject: Re: Security breach?? > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Maybe a SSH tunnel? > > - -- > +---------------------- > | Luis Miguel Cruz. > | | > Public Key: http://www.flcnet.es/tbe/luismi/nadie/luismi_adp.asc | > ----------------------+ > > On Fri, 22 Feb 2002, Jason Pappas wrote: > > > There are many known hacks in BIND. I'd investigate that. > > > > - make sure you have the latest bind version. > > - chroot your bind install > > - suid you bind daemon > > - not give them any access to any system commands (ssh, telnet, etc) when > > you chroot > > - restrict connections at the firewall that can be made both from and to > > this DNS server > > > > ----- Original Message ----- > > From: <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, February 22, 2002 6:43 AM > > Subject: Security breach?? > > > > > > > I've got a strong pb and would like to have any opinion.... specialist, > > > HELP!! > > > > > > I've iptabes working fine since many 8 months but since some days stranges > > > things appears. > > > The main is today's : > > > I've got a internal nated network with one DNS server in a pseudo-dmz > > > (private ip) with SSH install on it. > > > SSH is seted up allowing only DSA auth. > > > > > > The iptables gateway allow only the DNS (udp) traffic to be DNATed > > throught > > > the DNS server. Not the SSH, used only internally, and nothing else UDP 53 > > > packet. > > > > > > However, the forward chain log me many and many packets wich come from my > > > DNS server port 22 to a public external ip. > > > Since i've not allowed such a connection in my forward chain neither in > > the > > > DNAT table, i don't understand how such a behaviour could be happen. > > > > > > Is it an intrususion? > > > To stop this, i stoped the ssh demaon on the DNS server, but i would like > > > to know what happened. > > > > > > Thanks for your help > > > Vincent > > > > > > > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iEYEARECAAYFAjx2VlkACgkQvQHLTzrFJlcOggCfcXJacDMSIDqpwzzZlWWNsqaH > 2E8An0pq9zxQYXTFY6zwfGa3etDGri5J > =OcTS > -----END PGP SIGNATURE----- > >
