Re: [luau] Looking for help on attempted cracking....
By the way you worded "log entries where the firewall is blocking various IPs when certain rules are matched.", it sounds like your default rule is not deny. It is best to deny all and then allow specific traffic. Or selse, you may not be blocking things you didn't know were there to blockin the first place. Tom Please respond to [EMAIL PROTECTED] Sent by:[EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: Subject: Re: [luau] Looking for help on attempted cracking Vince, SSH is closed on the firewall, although it is running on my box. As far as keeping my box updated goes, I regularly run up2date among other things. While I realize that that may not cover everything, so far it has served me well (until now that is...) I'll work on a better way to verify that my firewall script is working. Typically, I check the boot logs to make sure that it loads when I do boot, and I am seeing log entries where the firewall is blocking various IPs when certain rules are matched. From that I gather that the firewall is working, but as you can see here, it appears that on at least this occasion, it did not stop a connction to my ftp directory that it should have. Reinstall coming very soon Thanks, Ben On Sunday 12 October 2003 09:09 am, you wrote: > On Sat, Oct 11, 2003 at 09:47:35PM -1000, Ben Beeson wrote: > > 1) How did the cracker get past the firewall? > > Is SSH open and unpatched? I bet it is. > > > 2) Does this represent a hole that can be plugged? > > You can plug it up, but there are no guarantees a backdoor was > not left behind. > > > 3) What else should I check or do to make sure that I'm not > > "owned" by someone but me? > > Completely reinstall your system, installing only what you know > you need. > > Update all your packages. > > > 4) How can I keep this person out in the future? > > Keep your system updated. > > Read up on file integrity scanners. Audit your filesystem regularly. > > How do you know the firewall script worked? Do not just run a > script and expect it to work the way your think it supoosed to > work. Verify. > > -Vince > ___ > LUAU mailing list > [EMAIL PROTECTED] > http://videl.ics.hawaii.edu/mailman/listinfo/luau ___ LUAU mailing list [EMAIL PROTECTED] http://videl.ics.hawaii.edu/mailman/listinfo/luau
Re: [luau] Looking for help on attempted cracking....
Vince, SSH is closed on the firewall, although it is running on my box. As far as keeping my box updated goes, I regularly run up2date among other things. While I realize that that may not cover everything, so far it has served me well (until now that is...) I'll work on a better way to verify that my firewall script is working. Typically, I check the boot logs to make sure that it loads when I do boot, and I am seeing log entries where the firewall is blocking various IPs when certain rules are matched. From that I gather that the firewall is working, but as you can see here, it appears that on at least this occasion, it did not stop a connction to my ftp directory that it should have. Reinstall coming very soon Thanks, Ben On Sunday 12 October 2003 09:09 am, you wrote: > On Sat, Oct 11, 2003 at 09:47:35PM -1000, Ben Beeson wrote: > > 1) How did the cracker get past the firewall? > > Is SSH open and unpatched? I bet it is. > > > 2) Does this represent a hole that can be plugged? > > You can plug it up, but there are no guarantees a backdoor was > not left behind. > > > 3) What else should I check or do to make sure that I'm not > > "owned" by someone but me? > > Completely reinstall your system, installing only what you know > you need. > > Update all your packages. > > > 4) How can I keep this person out in the future? > > Keep your system updated. > > Read up on file integrity scanners. Audit your filesystem regularly. > > How do you know the firewall script worked? Do not just run a > script and expect it to work the way your think it supoosed to > work. Verify. > > -Vince > ___ > LUAU mailing list > [EMAIL PROTECTED] > http://videl.ics.hawaii.edu/mailman/listinfo/luau
RE: [luau] Looking for help on attempted cracking....
>>box in the /home/ftp/pub/.. area. So far, it does not appear to have been was FTP running? you have anon accounts? did you KNOW ftp was running? <>
Re: [luau] Looking for help on attempted cracking....
On Sat, Oct 11, 2003 at 09:47:35PM -1000, Ben Beeson wrote: > 1) How did the cracker get past the firewall? Is SSH open and unpatched? I bet it is. > 2) Does this represent a hole that can be plugged? You can plug it up, but there are no guarantees a backdoor was not left behind. > 3) What else should I check or do to make sure that I'm not > "owned" by someone but me? Completely reinstall your system, installing only what you know you need. Update all your packages. > 4) How can I keep this person out in the future? Keep your system updated. Read up on file integrity scanners. Audit your filesystem regularly. How do you know the firewall script worked? Do not just run a script and expect it to work the way your think it supoosed to work. Verify. -Vince
[luau] Looking for help on attempted cracking....
Aloha, I saw in my logs today an attempt to install a bunch of directories on my box in the /home/ftp/pub/.. area. So far, it does not appear to have been successful, but I am now curious how this may have happened. I am running MonMotha's firewall (pre9) and the TCP_ALLOW variable is empty. In other words, I should not be allowing anything in except in response to an already established connection (I think). Anyway, there it is in my log, an attempt ot install a bunch of directories. Now I am wondering a few things. 1) How did the cracker get past the firewall? 2) Does this represent a hole that can be plugged? 3) What else should I check or do to make sure that I'm not "owned" by someone but me? 4) How can I keep this person out in the future? Thanks, Ben