--- W B Hacker <[EMAIL PROTECTED]> wrote:
> Troy Engel wrote: > > > Marc Perkel wrote: > > > >>I'm trying to prevent hackers who might get in from being able to > send > >>email if they manage to hack me. I want it so that unless they are > >>specific users that they have no rights to connect to port 25 or > run exim. > > > > > > Does this machine receive email? If not, then the solution is > simple: > > > > 1) decide on a smarthost (another machine) to accept mail from this > > > IP/machine (ie relay). This machine could run Exim in normal mode. > > > > 2) configure Apache and Exim sending to use that smarthost, and > only > > allow root or apache to use Exim. However, I would recommend using > > something like 'msmtp' instead of Exim to provide outgoing mail > only. > > (http://msmtp.sourceforge.net/) and not listen on port 25, it's not > needed. > > No help. IF the box itself has been compromised, the perp has > shell access. With that, Exim is not needed - they can install > and run theior own smtp. > > > > > 3) use iptables to block any outgoing SMTP (ports 25, 465, 587) to > any > > machine other than the smarthost you decided on above. (see > > http://oceanpark.com/notes/firewall_example.html) > > > > Not 100% useful. MTA's *listen* (for other mx) on port 25. They > ordinarily *send* on random ports well above 1024. > It is trivial to block all outbound traffic destined for mail ports, then allow for certain local accounts. > > > Of course, if you need to receive mail on this machine then life is > that > > much more complicated, but still using a smarthost and iptables > together > > is your best chance at success. However, a hacker would most likely > run > > the receiving SMTP server on an unusual port, so you might have to > use a > > more hardcore iptables setup (ie disallow all outbound traffic > instead > > of what's needed). > > That last part is the hardest. Even IF one can configure the MTA > to use a specific outbound port and close all others, it will > relinquish that port between sending sessions. > > At that point, some other process has a chance of grabbing it > and using it. > > Further, it is generally a safe assumption that any entity > clever/patient enough to crack a shell account, can and will, > escalate privileges, eventually to 'root'.. > > To be 'certain', the box has to be constructed in such a way > that even 'root' cannot add/alter authorized users, nor alter > the config file, nor invoke other daemons ('coz there are no > HDD, utilities, nor coms channels - only PROM). That spells > state machine, and physically swapped PROMs, not in-place > reprogrammable ones. You can do this with both selinux and FreeBSD MAC extensions, I'm sure you can do it w/ other systems as well but I haven't. Both can be defeated by booting with single user mode but it would be much easier for such a spam forger to swap the network cable into his laptop and send spam if the purpose of his spamming is to defame the sending host :) Probably easier to guess the default password in the catalyst switch and wreck havoc from there! > > And/or 'non-UNIX/Linux' - i.e. a single-user/process hardware > device of another sort. > > As in an OS/2 cash-till/Automated Teller Machine - which doesn't > even have command shell or GP UI in the conventional sense - > just button-scan and canned graphics. > > Bill > > > > > > > hth, > > -te > > > > > -- > ## List details at http://www.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://www.exim.org/eximwiki/ > -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
