Re: Hacked; looking to prevent this from happening again

[187 leopard com]

>I'm looking to shore things up, security-wise.? Did the hosts.deny/allow
>and ssh thing (I sure hope Red Hat 6.0 will have ssh-*.rpm's included),
>closed up as many external ports as possible.? Now I'd like to install
>something like Abacus/Sentry/Tripwire, etc. to prevent this from
>reoccuring.? Also, what is the "strobe" patch?? Something that 2.0.36
>could handle?

All good things, bet you wish you would have done earlier. Tripwire is also a
good idea and kill all services that are not neccessary as well. I would also
run Crack against the passwd file, (should also make sure shadow passwds are
installed) Also just saw this on freshmeat.net. "efingerd" which is an
alternative finger deamon, can let you do other things when a finger request
comes in. Since often crackers try finger as one of the first things to scan
your box. 
<http://md.us.mirrors.freshmeat.net/appindex/1999/02/28/920210406.html>http
://md.us.mirrors.freshmeat.net/appindex/1999/02/28/920210406.html

just a few ideas.
-aaz





At 06:03 PM 3/2/99 -0500, you wrote:
>Hey all:
>
>Some little @#$ % %%# %!@ $$ hacked into one of our school servers.? I
>was trying to resolve some problems that were reported to me, and I
>happened to discover a user named "moof" with root access.? The log files
>were gone and who knows what else was compromised.
>
>I "took care of business" but I'm worried about this happening again.? The
>server was running 5.1, but I am really dilligent about applying updates
>from Red Hat.? I also don't allow shell accounts.? Obviously there is an
>external daemon still vulnerable.
>
>I'm looking to shore things up, security-wise.? Did the hosts.deny/allow
>and ssh thing (I sure hope Red Hat 6.0 will have ssh-*.rpm's included),
>closed up as many external ports as possible.? Now I'd like to install
>something like Abacus/Sentry/Tripwire, etc. to prevent this from
>reoccuring.? Also, what is the "strobe" patch?? Something that 2.0.36
>could handle?
>
>Just wondering which options I should look into.? I'd like something that
>will detect a break-in attempt and cut the connection to the attacker for
>a given interval of time.? But I do worry about restricting legitimate
>traffic if a false alarm is raised.
>
>I sure wish people would find more productive things to do with their
>time.? Hundreds of elementary school children at this site were unable to
>do productive work in the computer lab for the last week.
>
>--------------< LINUX: The choice of a GNU generation. >--------------
>Steve Frampton? <3srf qlink queensu ca>?
<http://qlink.queensu.ca/~3srf>http://qlink.queensu.ca/~3srf
>
>
>-- 
>? PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
> <http://www.redhat.com/>http://www.redhat.com
<http://archive.redhat.com/>http://archive.redhat.com
>???????? To unsubscribe: mail redhat-list-request redhat com with 
>?????????????????????? "unsubscribe" as the Subject.
>