On Wed, 23 Jun 1999, Gerardo Soto wrote:
> Hi to everyone.
> I have configured my router ( cisco 2511 IOS 11.1) to deny
> everything but tcp 25, udp & tcp 53 , tcp 80 .
1. Have you tested the filter rules to make _sure_ they work?
2. Now you have to secure the services that you're allowing. If you're
running BIND for DNS, that means moving to a fixed version, there are
exploits in older versions. Whatever version of mail software, the same
thing probably. Lastly for a Web server, you have to make sure you're
not on a buggy version of the server daemon *and* that there are no
exploitable scripts accessable.
3. Are there any other machines on the subnet that could be used as an
attack vector (such as a trojaned Win9x machine)?
4. Could any of the client programs you're using be trojaned (if
applicable), or if that's not a factor, are you blocking outbound traffic
that isn't DNS or ESTABLISHED?
Once you're sure you've done all of that, make sure that your router
isn't accessable from the Internet. The number of routers getting
compromised seems pretty large now-a-days, especially if they have HTTP
configs enabled.
Lastly, did you reload the OS after the original compromise? You could
be running a trojaned service or library if you didn't.
If you had an idea of the attack vector used to compromise the host, it'd
be a lot easier. If possible, I'd suggest logging the services you do
allow off to a second log-only host.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
