Yeah, it's anoying, but he's probably done no harm yet. The best things
to do are to go through your /etc/rc.d/rcX.d where 'X' is your default run
level and make sure you've got any uncesary services removed from startup
there (the symlinks starting with 'S'). Go through your /etc/inetd.conf
and comment out everything you don't absolutely need from there.
Particularly ftp if you are not using it. Then go into your hosts.deny
and put "ALL : ALL" then in hosts.allow put "ALL : 127.0.0.1 X.X.X.X"
where X.X.X.X is a list of fixed IP addresses that you'll allow
connections from. That will make it quite secure. The finally, if you
run X on that box, add in an ipchains rule to your /etc/rc.d/rc.local to
drop IP traffic that comes in for sockets in the 6000 block (the X
server). Now you should be really tight.
I've had people try and send buffer overflow exploits to my ftp daemon 6
times in the past month.
On Tue, 29 Aug 2000, Scott Kindley wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Aug 29 04:21:12 ns1 in.telnetd[11975]: refused connect from
> 63.145.81.31
> Aug 29 04:21:12 ns1 in.telnetd[11977]: refused connect from
> 63.145.81.31
> Aug 29 04:21:12 ns1 in.telnetd[11976]: refused connect from
> 63.145.81.31
> Aug 29 04:21:12 ns1 in.telnetd[11978]: refused connect from
> 63.145.81.31
> Aug 29 04:21:12 ns1 in.telnetd[11979]: refused connect from
> 63.145.81.31
> Aug 29 04:21:12 ns1 in.telnetd[11980]: refused connect from
> 63.145.81.31
> Aug 29 04:21:12 ns1 in.telnetd[11981]: refused connect from
> 63.145.81.31
> Aug 29 04:21:12 ns1 in.telnetd[11982]: refused connect from
> 63.145.81.31
> Aug 29 04:21:13 ns1 in.telnetd[11983]: refused connect from
> 63.145.81.31
> Aug 29 04:21:13 ns1 imapd[11984]: refused connect from 63.145.81.31
> Aug 29 04:21:13 ns1 imapd[11988]: refused connect from 63.145.81.31
> Aug 29 04:21:13 ns1 imapd[11987]: refused connect from 63.145.81.31
> Aug 29 04:21:13 ns1 imapd[11985]: refused connect from 63.145.81.31
> Aug 29 04:21:13 ns1 imapd[11986]: refused connect from 63.145.81.31
> Aug 29 04:21:13 ns1 imapd[11989]: refused connect from 63.145.81.31
> Aug 29 04:21:13 ns1 in.telnetd[11990]: refused connect from
> 63.145.81.31
> Aug 29 04:21:13 ns1 in.telnetd[11991]: refused connect from
> 63.145.81.31
> Aug 29 04:21:13 ns1 in.telnetd[11992]: refused connect from
> 63.145.81.31
> Aug 29 04:21:15 ns1 in.telnetd[11993]: refused connect from
> 63.145.81.31
> Aug 29 04:21:15 ns1 imapd[11994]: refused connect from 63.145.81.31
> Aug 29 04:21:16 ns1 imapd[11995]: refused connect from 63.145.81.31
> Aug 29 04:21:16 ns1 imapd[11996]: refused connect from 63.145.81.31
> Aug 29 04:21:16 ns1 imapd[11997]: refused connect from 63.145.81.31
> Aug 29 04:21:16 ns1 in.telnetd[11998]: refused connect from
> 63.145.81.31
> Aug 29 04:21:16 ns1 in.telnetd[11999]: refused connect from
> 63.145.81.31
> Aug 29 04:21:16 ns1 in.telnetd[12000]: refused connect from
> 63.145.81.31
> Aug 29 04:21:16 ns1 in.telnetd[12001]: refused connect from
> 63.145.81.31
> Aug 29 04:21:16 ns1 in.telnetd[12002]: refused connect from
> 63.145.81.31
> Aug 29 04:21:16 ns1 in.telnetd[12003]: refused connect from
> 63.145.81.31
> Aug 29 04:21:19 ns1 in.telnetd[12004]: refused connect from
> 63.145.81.31
>
>
> Not one of my IP's. Don't know anybody using any IP on that network.
> Any suggestions o how to handle this? It's my first attempt at being
> hacked. I have him blocked with wrappers after a telnet attempt a few
> days ago that I thought looked funny. So for now I think I'm ok. I have
> checked me logs and verified nothing has changed on the system. So
> entry wasn't made. Still the attempt is bugging me.
>
> - -----
> Scott Kindley
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.2
>
> iQA/AwUBOav+xdWX5RP8v4x6EQJz1ACg6Nfqhv9GFc+XjLBXgFc4+nh4UqUAnidp
> SCLYRw1deJdSu6VUI4Y4TxEQ
> =kYu/
> -----END PGP SIGNATURE-----
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
>
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
