whois [EMAIL PROTECTED]
On Wed, 8 Dec 1999, Jeff Graves wrote:
> I found an the address of someone that was running some services they
> shouldn't have tried to run. Not only did my mail server get hacked but
> an attempt was made on my primary dns server as well. I found an IP that
> repeatedly tried using telnet and finger as well as ftp. How do I find
> who owns it? Tried an nslookup with no luck. Tried a ping with no luck.
> Traceroute turns up a bunch of other IP address in that subnet with no
> domain name. Any ideas?
>
> TIA
> jeff
>
> -----Original Message-----
> From: Jeff Hogg [SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, December 08, 1999 1:53 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Got hacked, need to make sure it doesn't happen again
>
>
> -----Original Message-----
> From: Jeff Graves <[EMAIL PROTECTED]>
> To: '[EMAIL PROTECTED]' <[EMAIL PROTECTED]>
> Date: Wednesday, December 08, 1999 12:31 PM
> Subject: Got hacked, need to make sure it doesn't happen again
>
>
> >My mail server got hacked last night. I guess i was asking for it
> though. I
> >didn't really do any security checks close any ports. In fact I just
> >installed everything and left everything open. At any rate, i came in
> this
> >morning and everything wasn't working. I had to reinstall and setup
> >sendmail and the pop3 service all over again. And add all the users. It
> >took about 3 hours. I was just wondering if anyone can tell me what logs
> i
> >should monitor all the time and what i need to shut off. I reinstalled
> the
> >server using the bare minimum. It has sendmail, the linux kernel,
> apache,
> >some ftp services, and a couple of other things. Other than than, it's
> >empty. I needed apache because i want to run some sort of Internet front
> >end for my users so they can check their mail. Anyway, i have a few
> books
> >I'm tearing apart doing everything i can but I figured first-hand tech
> >knowledge is probably the best adivce. Any help?
>
>
> That had to hurt.. I'm about to open my own site here, and I've been
> working
> on learning what your trying to learn as well. I don't know enough to be
> called an expert, but it can't hurt to start somewhere. I would suggest
> a
> careful writting of your hosts.allow and hosts.deny files. I would also
> suggest downloading and installing ipchains. I think you can get an rpm
> from most redhat mirrors. I've got a ip masqueraded LAN set up here in
> my
> office and have had to apply some security to the linux box I use as a
> "router". It's set up with only those services I have a need for. It
> has a
> hosts.deny of ALL:ALL and a hosts. allow of ALL:10.0.0. and
> ALL:127.0.0.1
> to allow the local lan and the localhost to use those services. I also
> set
> up ipchains to do the following:
>
> deny all ip forwarding by default.
> allow ip forwarding for just my local lan
> I deny all connection attempts comming into my modem.
>
> The ipchains rules are fairly simple to use and seem very effective. I
> have
> had no attempts succeed against this system so far. Hopefully that state
> will continue. I think it is a bit harder with a true server where ports
> need to be open, but you can still restrict entry to just those ports,
> and
> stop others from pretending to be a machine on your network. I hope this
> helps. Others will probably add a lot more :)
>
> Jeff Hogg
>
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
>
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
>
-----------------------------------------------------
Brian Feeny (BF304) [EMAIL PROTECTED]
318-222-2638 x 109 http://www.shreve.net/~signal
Network Administrator ShreveNet Inc. (ASN 11881)
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
