Is this how to use Freebsd?
Hello, I have some questions that maybe someone could help with. I leased a new server, and redhat 6 .2 was put as the operating system Shortly after that the machine was hacked. Apparently the machine was a peach because the hackers used the server to launch DOS attacks from. The high output hit 44MBS ! Well, the company did not explain how, or why it happened. The programmer I work with suggested BSD.Of course I wanted security! Well, I told the Network admin that I wanted some security because I thought the hackers would come back. He said, well, when we put you on a 10 pipe, (of your 10-100) the attacks stopped, so I don't think they will come back as they know they are detected. Also, in 98% of the cases they just move on. Well I didn't really think this was all that well thought out, and ripe for abuse, but what could I do? So I told them to leave the 10mbs pipe on for a few days in case they come back. Well guess what? They came back! Just a few hours later, and attacked with the 10 mbs pipe. And it took way longer to detect! Of course. At 44 mbs they detect it right away. So, when is the network guy gonna do something smart? Well, they gave me some explanation that the server was hacked at the xfs port. But later I was told that the ftp port on redhat 6.2 was the vulnerability, so they actually were not sure? They did little to tell me what to do either, other than to "Clean up". We decided best was to start over rather than look for back doors etc. So this is when we had the network people install Freebsd. And where my questions lie. Well, They didnt put a smp in the kernal, it was a dual processor. We fixed that, but the programmer I work with noticed that the files were not right. We have (2) 9 gig hard drives, and one had 8.3 gigs of space in /home, The other had 18 mb in / and /var had 19 mb /usr had 7.2 gigs . So, we were told that this is a normal out of the box configuration for Freebsd. Does that make sense? I do not know. But I need to know if my programmer is not really understanding the files and how they are used in Freebsd, Or if the Network guys made a mistake, and are thinking we won't catch it. Because...the network guys suggested we try (well at first one guy agreed and said, yeah, those files and partitions don't look right, I agree with your programmer) ...so he suggested that we do the following: / 48 mb -- 18 free/var --19 mb/usr -- 7.2 gigdrive 2/home 8.3mv /usr/* /usr/usrcp / /usrcp /var /usrreload boot software and edit /usr/etc (after copy) to make /usr /--Well, when our guy logged in and did that it shut his connection down. The computer just kept looking for a getty file. So his copy probably messed with the connection when the connection info was moved...or something I was told by the network guys. Well, I am not a program or a system guy.. But I am thinking that I, or we are not totally at fault with what happened here,and should not have to pay for a re install. So, could you comment and expand where possible on the following, it would be appreciated, and we could then have an idea what to do as well. 1).Does the network have any obligation to lock down a server, before they hand it over? They have been hit by 10 such attacks since mine and have changed the strategy to locking the systems down. 2).Does the file and partition system look ok for a 2 drive Freebsd install? We mainly want to use 1 hd and have one for back up of the first. 3). Is the following a system that defeats the purpose of Freebsd, or is not a good way to use it? *Not from programmer Tell them to set up the drives as follows:___1 paritition per drive___drive 1 mount to /drive 2 mount to /mnt/backup Ok, well I guess I have confused you enough. Please forward any ideas you may have on teh subject. Thanks D Muller
Re: Is this how to use Freebsd?
* Don Muller <[EMAIL PROTECTED]> [001102 08:40] wrote: > Hello, > > I have some questions that maybe someone could help with. [snip...] > > 1).Does the network have any obligation to lock down a server, > before they hand it over? They have been hit by 10 such attacks > since mine and have changed the strategy to locking the systems > down. Not unless you have a contract that says that they are responsible for locking the machine down. > 2).Does the file and partition system look ok for a 2 drive > Freebsd install? We mainly want to use 1 hd and have one for back > up of the first. The default should be ok for drive 1, you can make drive 2 a seperate filesystem for doing backups and it would work fine. > 3). Is the following a system that defeats the purpose of Freebsd, > or is not a good way to use it? > > *Not from programmer > Tell them to set up the drives as follows: > > ___1 paritition per drive___ > > drive 1 mount to / > > drive 2 mount to /mnt/backup That's a typlical 'Linux' partitioning choice, personally I dislike it and prefer something link: 120M / 300M /var 2xRAM swap (limit 1 gig) rest /usr /usr may be split into /usr and /usr/home, if so /usr usually gets about 1.5gigs and /usr/home gets the rest. A couple of suggestions: 1) please wrap lines at 70 characters when posting to the list. 2) you seem to be in pretty bad need for a skilled FreeBSD consultant or full time admin. see: http://www.freebsd.org/commercial/consulting_bycat.html or perhaps respond in private mail if you're interested in a training, perhaps we could work something out. best of luck, -- -Alfred Perlstein - [[EMAIL PROTECTED]|[EMAIL PROTECTED]] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Is this how to use Freebsd?
It seems to me like, your network administrators are a bit unexperienced with linux, bsd and system-security. If a machine gets compromised, it should be the first step, to unplug it from the network and try to analyze who hacked the machine. Since I think you were hacked by standard-script-kiddies, they probably left tracks. so, go thru logfiles, etc. Installing FreeBSD or any other OS is not a garantee for security. You should read the security documentation of the os and it is important to stay up-to-date with your patches. sign up for [EMAIL PROTECTED] for example and see if discovered bugs and holes concern your system. there are a lot of things you can do. I can't listen them all. Now to your mount-problem. First I have to say, that you should use the FreeBSD-partition/mountpoint-setup during the installation. the step 'mv /usr /usr/usr' is defnetely not understanable, since you mess up the whole system. the next steps you did are at least as bad as the first one. your new mount configuration seems really strange to me, aswell. Is it possible that the admin doesn't know much about unix? Anyway, I recommend you to read the FreeBSD-Handbook first, since it explains a lot. You can find it at www.freebsd.org/handbook/ --Original Message Text--- From: Don Muller Date: Thu, 2 Nov 2000 10:51:30 -0600 Hello, I have some questions that maybe someone could help with. I leased a new server, and redhat 6 .2 was put as the operating system Shortly after that the machine was hacked. Apparently the machine was a peach because the hackers used the server to launch DOS attacks from. The high output hit 44MBS ! Well, the company did not explain how, or why it happened. The programmer I work with suggested BSD.Of course I wanted security! Well, I told the Network admin that I wanted some security because I thought the hackers would come back. He said, well, when we put you on a 10 pipe, (of your 10-100) the attacks stopped, so I don't think they will come back as they know they are detected. Also, in 98% of the cases they just move on. Well I didn't really think this was all that well thought out, and ripe for abuse, but what could I do? So I told them to leave the 10mbs pipe on for a few days in case they come back. Well guess what? They came back! Just a few hours later, and attacked with the 10 mbs pipe. And it took way longer to detect! Of course. At 44 mbs they detect it right away. So, when is the network guy gonna do something smart? Well, they gave me some explanation that the server was hacked at the xfs port. But later I was told that the ftp port on redhat 6.2 was the vulnerability, so they actually were not sure? They did little to tell me what to do either, other than to "Clean up". We decided best was to start over rather than look for back doors etc. So this is when we had the network people install Freebsd. And where my questions lie. Well, They didnt put a smp in the kernal, it was a dual processor. We fixed that, but the programmer I work with noticed that the files were not right. We have (2) 9 gig hard drives, and one had 8.3 gigs of space in /home, The other had 18 mb in / and /var had 19 mb /usr had 7.2 gigs . So, we were told that this is a normal out of the box configuration for Freebsd. Does that make sense? I do not know. But I need to know if my programmer is not really understanding the files and how they are used in Freebsd, Or if the Network guys made a mistake, and are thinking we won't catch it. Because...the network guys suggested we try (well at first one guy agreed and said, yeah, those files and partitions don't look right, I agree with your programmer) ...so he suggested that we do the following: / 48 mb -- 18 free /var --19 mb /usr -- 7.2 gig drive 2 /home 8.3 mv /usr/* /usr/usr cp / /usr cp /var /usr reload boot software and edit /usr/etc (after copy) to make /usr / -- Well, when our guy logged in and did that it shut his connection down. The computer just kept looking for a getty file. So his copy probably messed with the connection when the connection info was moved...or something I was told by the network guys. Well, I am not a program or a system guy.. But I am thinking that I, or we are not totally at fault with what happened here,and should not have to pay for a re install. So, could you comment and expand where possible on the following, it would be appreciated, and we could then have an idea what to do as well. 1).Does the network have any obligation to lock down a server, before they hand it over? They have been hit by 10 such attacks since mine and have changed the strategy to locking the systems down. 2).Does the file and partition system look ok for a 2 drive Freebsd install? We mainly want to use 1 hd and have one for back up of the first. 3). Is the following a system that defeats the purpose of Freebsd, or is not a good way to use it? *Not from programmer Tell them to set up the drives as follows:
Re: Is this how to use Freebsd?
Alfred Perlstein wrote: > > That's a typlical 'Linux' partitioning choice, personally I dislike it > and prefer something link: > > 120M / > 300M /var > 2xRAM swap (limit 1 gig) > rest /usr I like having a separate /tmp. / can then be 50 or 60 Mb. But, particularly, a 300Mb /var depends heavily on what the machine is being used for. It could well languish with 290 Mb free for some kinds of servers, and particularly for desktop machines. > /usr may be split into /usr and /usr/home, if so /usr usually gets > about 1.5gigs and /usr/home gets the rest. /usr and /home, please. :-) That's our default. > A couple of suggestions: > > 1) please wrap lines at 70 characters when posting to the list. Furthermore, DO NOT send html-formatted messages. I, for one, delete without even reading all html-formatted messages. -- Daniel C. Sobral(8-DCS) [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] He has been convicted of criminal possession of a clue with intent to distribute. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Is this how to use Freebsd?
* Daniel C. Sobral <[EMAIL PROTECTED]> [001102 19:26] wrote: > > > > 1) please wrap lines at 70 characters when posting to the list. > > Furthermore, DO NOT send html-formatted messages. I, for one, delete > without even reading all html-formatted messages. I usually do as well, but mutt sometimes decodes them to plain text, some mailers send mail in such a way that mutt doesn't those I nuke with extreme prejudice. :) -- -Alfred Perlstein - [[EMAIL PROTECTED]|[EMAIL PROTECTED]] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Is this how to use Freebsd?
Of course, if this is a workstation you're setting up, don't bother with any of that and just use a single / partition (and maybe a MFS /tmp). No need to be sophisticated. --Renaud - Original Message - From: Daniel C. Sobral <[EMAIL PROTECTED]> To: Alfred Perlstein <[EMAIL PROTECTED]> Cc: Don Muller <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, November 02, 2000 7:22 PM Subject: Re: Is this how to use Freebsd? > Alfred Perlstein wrote: > > > > That's a typlical 'Linux' partitioning choice, personally I dislike it > > and prefer something link: > > > > 120M / > > 300M /var > > 2xRAM swap (limit 1 gig) > > rest /usr > > I like having a separate /tmp. / can then be 50 or 60 Mb. But, > particularly, a 300Mb /var depends heavily on what the machine is being > used for. It could well languish with 290 Mb free for some kinds of > servers, and particularly for desktop machines. > > > /usr may be split into /usr and /usr/home, if so /usr usually gets > > about 1.5gigs and /usr/home gets the rest. > > /usr and /home, please. :-) That's our default. > > > A couple of suggestions: > > > > 1) please wrap lines at 70 characters when posting to the list. > > Furthermore, DO NOT send html-formatted messages. I, for one, delete > without even reading all html-formatted messages. > > -- > Daniel C. Sobral (8-DCS) > [EMAIL PROTECTED] > [EMAIL PROTECTED] > [EMAIL PROTECTED] > > He has been convicted of criminal possession of a clue with intent to > distribute. > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-hackers" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Is this how to use Freebsd?
On Thu, 2 Nov 2000, Don Muller wrote: > Well, the company did not explain how, or why it happened. The > programmer I work with suggested BSD.Of course I wanted security! > Well, they gave me some explanation that the server was hacked at the > xfs port. But later I was told that the ftp port on redhat 6.2 was the > vulnerability, so they actually were not sure? > So this is when we had the network people install Freebsd. And where > my questions lie. I wouldn't trust *THOSE* people with any OS :) Linux and BSD are comperable in security; both rely on a competent admin to keep the system secure over time. Lacking a competent admin on-site, you may look into a free Unix which has the capability of semi-automatically upgrading itself. I suspect the BSDs can do that; Conectiva Linux, Debian Linux and all Debian derivatives do that too (apt-get). Systems lacking that ability will always be in danger of getting behind in security updates when the admins don't look after the machine... regards, Rik -- The Internet is not a network of computers. It is a network of people. That is its real strength. http://www.conectiva.com/ http://www.surriel.com/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: Is this how to use Freebsd?
On 2000-11-02 20:56 -0800, Alfred Perlstein <[EMAIL PROTECTED]> wrote: > * Daniel C. Sobral <[EMAIL PROTECTED]> [001102 19:26] wrote: > > > > > > 1) please wrap lines at 70 characters when posting to the list. > > > > Furthermore, DO NOT send html-formatted messages. I, for one, delete > > without even reading all html-formatted messages. > > I usually do as well, but mutt sometimes decodes them to plain > text, some mailers send mail in such a way that mutt doesn't > those I nuke with extreme prejudice. :) This works really well in making HTML mail very readable. Substitute w3m if you wish: klapaucius gsutter ~ $ grep lynx .mailcap text/html; lynx -restrictions=all -dump -force_html %s; copiousoutput; nametemplate=%s.html Greg -- Gregory S. Sutter I got a 1GHz Athlon for my girlfriend. mailto:[EMAIL PROTECTED] Good trade! http://www.zer0.org/~gsutter/ hkp://wwwkeys.pgp.net/0x845DFEDD To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
