[Gllug] hacked !

tet at accucard.com tet at accucard.com
Thu Nov 29 09:18:06 UTC 2001


>Im gonna copy all my stuff down and recommend to my friend we rebuild
>the box from scratch ... any other advice ?

Before you rebuild it, disconnect it from the network, and then go over
it with a fine toothcomb to try and find out which vulnerabilities they
exploited to get in. Then make sure you've fixed them when you rebuild
it. Obvious places to start are things like minimizing the amount of
information you provide to a potential intruder. If a hole is found in
PHP or mod_jk, for example, I know that you're vulnerable, because
you're advertising the fact that you're using them, and I know that
you're using Red Hat, and so are potentially vulnerable to anything
that you haven't patched which is found to have a securiy flaw.

Similarly, turn off unnecessary services. A public facing web server
should not have the smtp or sunrpc ports open, for example (yours
does). And if you do need these services (e.g., sunrpc for NFS), then
consider putting in multiple network interfaces, so you can run those
services over a separate network, and only expose http/https on the
public facing network. You're also allowing in ssh, which isn't
necessarily a bad idea, but I'd personally have some out of band
mechanism for doing that, if you can afford it (e.g., allow incoming
ssh only from your private network, to which you have access via a
secure means such as a dial in modem, or via a hardened gateway box
that only allows ssh traffic).

Consider some kind of IDS system. I was easily able to port scan your
box. A more secure system might have detected a port scan after the
first few ports, and temporarily blocked access from that IP. The
harder you make it for a potential attacker, the more likely they
are to just pick on an easier target elsewhere.

When you rebuild it, don't do a full install. Just install the bare
minimum you need to get the box up and running. Don't select *any*
packages initially. Then go through and add the ones you need (apache,
php, etc.) Try it out. If it works, great. If it doesn't, then add the
appropriate packages to provide you with the functionality you need.
Then stop. Don't add things that you think might be useful at some
point in the future. A healthy dose of paranoia is always good for
building secure systems :-)

HTH,

Tet

-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list