[rlug] Urgenta!!!

Laurentiu STEFAN Thu, 20 Feb 2003 17:52:15 -0800

UN HAKER mi-a intrat in server.
Cand am vazut (banuit) ca e cineva i-am dat reboot.
Nu imi mai mergea httpd-ul, squid-ul, samba si draq mai stie ce nu mai merge.
Vreau sa refac sa mearga doar squid-ul, samba si iptraf-ul pt. moment


Am obesrvat ca in /var/log sunt foarte putine fisiere.

HELP HELP HELP!!!

Daca poate rog pe cineva sa imi faca un cont de FTP cu configuratiile necesare sa le 
copii si eu in al meu.
Sau sa imi spuneti comenzile pe care sa le dau.
Sa reistalez din nou nu este o obtiune in acest moment.

La httpd la restart imi dadea eroarea:
[root@....]# service httpd start
Starting httpd: fopen: No such file or directory
httpd: could not open error log file /var/log/httpd/error_log.                         
                                  [FAILED]

Am facut in /var/log directorul httpd.
I-am dat drepturi pentru apache si tot nu merge.
Cred ca trebie sa mai fac vre-un director.

Acuma in /var/log/httpd/error_log
[Fri Feb 21 02:38:24 2003] [notice] Apache/1.3.20 (Unix)  (Red-Hat/Linux) 
mod_ssl/2.8.4 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.0.6 mod_perl/1.24_01 configured -- 
resuming normal operations
[Fri Feb 21 02:38:24 2003] [notice] suEXEC mechanism enabled (wrapper: 
/usr/sbin/suexec)

ES! La Squid mi-a mers sa ii refac log-ul la httpd nu stiu ce are

DACA POATE CINEVA SA MA AJUTE II RAMAN DATOR!!!

- sa refac httpd/apache-ul (sau sa instalez alt server web)
- sa reconfigurez firewall-ul sa las doar serviciile utile deschise din exterior - 
etho (DNS, Mail, WWW) si din interior, sshd, ftp, squid, samba, mail, www, dns - eth1
- pt. iptraf cred ca il voi reinstala.

==============================

root      1203  0.0  0.2  2140  316 ?        SN   00:59   0:00 //bin/sh
root      1895  0.0  0.2  1476  332 ?        SN   01:05   0:00 /sbin/syslogd -m 0
root      1899  0.0  0.0  2264    4 ?        SN   01:05   0:00 /usr/sbin/xinetd -reuse
root      2361  0.1  1.0  3468 1244 ?        S    01:08   0:00 /usr/sbin/sshd
root      2364  0.0  1.0  2452 1256 pts/0    S    01:08   0:00 -bash
root      2833  0.0  0.8  2188  968 ?        SN   01:13   0:00 ftp ftp.polarhome.com

ftp ftp.polarhome.com - nu este data de mine
//bin/sh ???
/usr/sbin/sshd ???
syslogd ???

Mesaj de la syslogd@Perlea
perlea


Dupa ceva timp am mai dat ps -aux
root      2921  0.0  0.8  2304 1060 ?        SN   01:17   0:00 ftp ftp.netfirms.com

Pe iptraf ce imi apare ciudat este:
ip28-43-171-209.toro1.na.psigh.com:64572        >     218     324244 CLOSED  eth0
Perlea.Ro:1139                                  >     202      10504 CLOSED  eth0

Perlea.Ro:ftp                                   >      54       2491 --A-    eth0
202.65.134.210:40391                            >      53       2124 -PA-    eth0


====================================================================

Configuratia mea de firewall:

echo "Inceput configurare firewall"
#
/sbin/ipchains -A input -s 0/0 -d 193.231.113.125 53 -p udp -i eth0 -j ACCEPT
/sbin/ipchains -A input -s 0/0 -d 193.231.113.125 53 -p tcp -i eth0 -j ACCEPT
/sbin/ipchains -A output -d 0/0 -s 193.231.113.125 53 -p udp -i eth0 -j ACCEPT
/sbin/ipchains -A output -d 0/0 -s 193.231.113.125 53 -p tcp -i eth0 -j ACCEPT
/sbin/ipchains -A input -s 0/0 -d 0/0 53 -p tcp -i eth0 -j ACCEPT
/sbin/ipchains -A input -s 0/0 -d 0/0 22 -p tcp -i eth0 -j ACCEPT
/sbin/ipchains -A input -s 0/0 -d 0/0 21 -p tcp -i eth0 -j ACCEPT
#
/sbin/ipchains -A output -d 0/0 -s 193.231.113.125 80 -p tcp -i eth0 -j ACCEPT
/sbin/ipchains -A input -s 0/0 -d 193.231.113.125 80 -p tcp -i eth0 -j ACCEPT
#
/sbin/ipchains -A input -s 0/0 -d 0/0 25 -p tcp -y -j ACCEPT
/sbin/ipchains -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT
#
/sbin/ipchains -A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth0 -j ACCEPT
/sbin/ipchains -A input -s 0/0 67:68 -d 0/0 67:68 -p udp -i eth1 -j ACCEPT
#
/sbin/ipchains -A input -s 0/0 -d 0/0 -i lo -j ACCEPT
/sbin/ipchains -A input -s 0/0 -d 0/0 -i eth1 -j ACCEPT
#
/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 6666:7000 -i eth0 -j REJECT
/sbin/ipchains -A output -p tcp -d 0/0 -s 0/0 6666:7000 -i eth0 -j REJECT
#
/sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 8081 -i eth0 -j REJECT
/sbin/ipchains -A output -p tcp -d 0/0 -s 193.231.113.125 8081 -i eth0 -j REJECT
/sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 2000 -i eth0 -j REJECT
/sbin/ipchains -A output -p tcp -d 0/0 -s 193.231.113.125 2000 -i eth0 -j REJECT
/sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 4000 -i eth0 -j REJECT
/sbin/ipchains -A output -p tcp -d 0/0 -s 193.231.113.125 4000 -i eth0 -j REJECT
/sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 443 -i eth0 -j REJECT
/sbin/ipchains -A output -p tcp -d 0/0 -s 193.231.113.125 443 -i eth0 -j REJECT
#
/sbin/ipchains -A input -p tcp -s 192.168.2.0/24 -d 0/0 6666:7000 -i eth0 -j REJECT
#/sbin/ipchains -A output -p tcp -d 192.168.2.0/24 -s 0/0 6666:6670 -i eth0 -j REJECT
#
#/sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 8080 -i eth0 -j REJECT
#/sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 1139 -i eth0 -j REJECT
/sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 21 -i eth0 -j REJECT
/sbin/ipchains -A input -p tcp -s 0/0 -d 193.231.113.125 22 -i eth0 -j REJECT
#/sbin/ipchains -A output -p tcp -s 0/0 -d 193.231.113.125 8080 -i eth0 -j REJECT
#
#/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 0:1023 -y -j REJECT
#/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 2049 -j REJECT
#/sbin/ipchains -A input -p udp -s 0/0 -d 0/0 0:1023 -j REJECT
#/sbin/ipchains -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT
#/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 6000:6009 -j REJECT
#/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 7100 -j REJECT
#/sbin/ipchains -A input -p tcp -s 0/0 -d 0/0 1139 -j REJECT
#
echo "Forward Start"
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -A forward -s 192.168.2.0/24 -d 192.168.2.0/24 -j ACCEPT
/sbin/ipchains -A forward -s 193.231.113.0/24 -d 0/0 -j ACCEPT
#/sbin/ipchains -A forward -s 192.168.2.0/24 -d 0/0 -j MASQ

echo "Masqarading CCPIL IP's"
#Centrul Creatiei
/sbin/ipchains -A forward -s 192.168.2.127/255.255.255.255 -d 0/0 -j MASQ
/sbin/ipchains -A forward -s 192.168.2.150/255.255.255.255 -d 0/0 -j MASQ
/sbin/ipchains -A forward -s 192.168.2.155/255.255.255.255 -d 0/0 -j MASQ
/sbin/ipchains -A forward -s 192.168.2.157/255.255.255.255 -d 0/0 -j MASQ

echo "Masqarading CCUIP IP's"
#Centrul Cultural
/sbin/ipchains -A forward -s 192.168.2.56/255.255.255.255 -d 0/0 -j MASQ
/sbin/ipchains -A forward -s 192.168.2.100/255.255.255.255 -d 0/0 -j MASQ
/sbin/ipchains -A forward -s 192.168.2.110/255.255.255.255 -d 0/0 -j MASQ
/sbin/ipchains -A forward -s 192.168.2.156/255.255.255.255 -d 0/0 -j MASQ

echo "Masqarading DPCCPN IP's"
#Inspectorat
/sbin/ipchains -A forward -s 192.168.2.32/255.255.255.255 -d 0/0 -j MASQ
/sbin/ipchains -A forward -s 192.168.2.163/255.255.255.255 -d 0/0 -j MASQ

echo "Masqarading BJI IP's"
#BJI
/sbin/ipchains -A forward -s 192.168.2.43/255.255.255.255 -d 0/0 -j MASQ
/sbin/ipchains -A forward -s 192.168.2.222/255.255.255.255 -d 0/0 -j MASQ
echo "Sfarsit configurare firewall"

--
Pentru dezabonare, trimiteti mail la 
[EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'.
REGULI, arhive si alte informatii: http://www.lug.ro/mlist/

[rlug] Urgenta!!!

Raspunde prin e-mail lui