From: "Arvind" <[EMAIL PROTECTED]> > i will rebuild the whole machine.. but for now... i need a lil fix to keep > the server up for sometime.
A very, very bad idea until and unless the server is too crucial. See, if you are able to determine that the server is been compromised, then you must consider the fact that the cracker might use your server to scan and attack for other vulnerable servers across the internet... which will ofcourse get you and/or your ISP bombarded with lots of lovely mails from the admins of other hosts. If the server doesn't have any crucial data, just format it and set it up again... else take a careful back of only and only the data files. Secondly, since this is redhat, as root, type ntsysv.. disable all services you do not need. You probably don't even need the ftp service. Even if you do, at least remove the ftp account from /etc/passwd etc. to disallow anonymous ftp. You might also consider uninstalling anon-ftp package altogether. Also disable non-used services in xinetd.d and do a 'service xinetd restart' ofcourse.(or reboot, at least). Third, update your system. Try using the redhat network service http://rhn.redhat.com . It will let you see what packages are outdated and contain security bugs. Update all of them. (And do this periodically). Redhat network provide an auto-email-notification service which mails you to an address provided by you, to inform you about any package updates the registered system requires, as and when the updates come out. Disable rhnsd when you are done updating for the session. Fouth, install tripwire. It is simple enough. Configure the e-mail notification option and it will mail you if some installs a rootkit that modifies the system binaries. Fifth, you might wish to configure and start portsentry. It will protect you from portscans, which are usually a pre-cursor to attacks. The moment a system tries to connect to any of the ports on your server, that it is not supposed to, it gets blocked. Sixth, install snort. It is an excellent IDS. You will get to know what attacks/exploits were tried against your system along with the ip-address. Track the IP-address via ARIN/APNIC/whatever whois database. Also cross verify against the internic domain whois. Mail a complaint to the concerned ISP/technical contact. Seventh, install chkrootkit from www.chkrootkit.org . Run this once or more, on almost everyday basis. It will make a quick check as to whether your ethernet interface is running in promiscous mode (i.e. sniffing for passwords etc. Or they might be sniffing all your mails on your mailserver for keywords like CREDIT CARD etc. You get the idea...) and it will check for common rootkits as well as tell you about any suspicious new hidden files being installed. Eight, install and configure ipchains/iptables firewall to block the outside world from accessing your server in ways other than, what you see fit. Ninth, secure all the services that you *do* allow to run. Tenth, Check the logs everyday. If you are too busy for it or there are just too many servers, install something like logwatch to e-mail you a summary report. Also forward the logs to another secure system on your network, if you can. In case, the hacker does modify the logs on the compromised system, he still may not be able to change the copy of the logs on the other server. This will help you in determining where the attack came from. Eleventh, be paranoid. Assume all of the above security methods have been compromised anyways, and reinstall the latest RPMs for the basic system commands like ps, netstat, sh etc. anyways every now so often. Just to ensure that when you do a periodic ps -aux, you are able to see *all* processes running. And last, as the movies say, trust nothing and noone. :) Regards, Abhi _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: [EMAIL PROTECTED] _______________________________________________ linux-india-help mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/linux-india-help
