On Mon, Nov 15, 1999 at 08:42:37AM -0500, George Lenzer wrote:
> This past week I ran into some problems on my RedHat 6.0 IP Masq box at
> home. I was no longer able to 'ssh' to the machine and my friends were
> unable to connect to the Quake3test server with any reliability. (They
> could connect, but only for a few moments with a lot more lag than usual)
Sounds more like one of two things. Either normal network congestion, or
your ISP does not like you hosting a server behind their router and is
either port blocking you or choking you off.
> I
> had installed a fresh copy of RH 6.0 (without any security updates) on Oct.
> 2. Before I put the machine on the Internet, I installed Portsentry. I had
> hoped that installing Portsentry and disabling everything except the bare
> essentials, including; HTTPD, IPOP3D (with IMAP disbaled), DHCPD, and SAMBA
> would protect me from most exploits. Apparently not. This is what I found
> on my system after attempting to back everything up:
In the run levels, shut off every daemon that does not actually do anything.
In /etc/inetd.conf, comment out any services you don't need. I usually only
leave telnet, ftp, and auth open. In hosts.deny, put "ALL : ALL", and in
hosts.allow, put "ALL: 127.0.0.1" and "in.identd: ALL". You can add the IP of any
allowed hosts to the "ALL: 127.0.0.1" line if you wish. Just for a dialup session,
it's unlikely you'll need any more security than that, and you can then start
adding IP-Chains rules if you do.
>
> In /usr/bin, there was a symlink called 'mh' which pointed to '.' There
> were also quite a few other symlinks that I hadn't seen on my other RedHat
> systems but could have been part of something I installed. The date the
> 'mh' symlink was created was Oct. 6. There was also a symlink called '['
> which pointed to a binary on the system called 'test'. There were quite a
> few symlinks that pointed to things like '../../sbin/halt', etc... These
> MAY be normal, but have not seen them before and would suspect they are the
> signs of a compromised box.
>
Who dude, slow down and chill. THIS IS NORMAL.
> I am going to zero out the hard drive and re-install RH Linux again. This
> time I am going with RH 6.1 and the latest security updates. I will also
> install the latest Portsentry and 'ssh/sshd'. Lastly, before I put the box
> on the net, I will run a checksum program (like TripWire) that way I will be
> able to verify that something has changed in the future.
>
Don't bother. RPM keeps an MD5 sum on every file. Do an rpm verify. See man
page.
> The question; Is there a decent RedHat only security list that may keep me
> abreast of the latest exploits and provide more security info than this list
> can?
>
> Thanks,
> George Lenzer
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com
>
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
>
--
J. Scott Kasten
jsk AT tetracon-eng DOT net
"That wasn't an attack. It was preemptive retaliation!"
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.