[Nottingham] Disable Ports

Martin martin at ml1.co.uk
Tue Aug 29 19:42:31 BST 2006

Johan Boshoff wrote:
> Hi,
> My server is hosted at a company in America and they told me that
> SPAMMERS are using my server to send out mail.  I did ask them to send
> me more details and am still waiting.

You should be able to log in and see for yourself.

Start by looking at the logs in /var/log at such as messages and
mail/info or whatever. Look at netstat to see whom else is logged into
your box. top/pstree to see what is running. Does all traffic stop when
you shut down the services?!

Have you got multiple users on that system?

> The thing is, I don;t want people to use the server to send out mail. 
> It is a web and mail server, but not to send out mail to the public.

It should be very easy to stop just outgoing mail. A bodge fix could be
just to disable sendmail or to block all outgoing smtp.

Have you simply just inadvertently set up an open mail relay?

> Basically I tighten up the SSHD because I get so many IP's trying to
> connect to the server via SSH.  Disabled ROOT access and the GraceTime
> to only 10 seconds and only gave two users access to log in via SSH.
> I am sure this will minimize attacks...  Anyway, I know the above is
> only for the SSH and has nothng to do with sendmail.

Never allow direct root access. Always log in via another user first.
Ensure that you have non dictionary word passwords and non names passwords.

Have you been root-kit hacked?

If you can't positively see how your system has been compromised, then
the best is to assume the worst and to make a full reinstall.

There's lots of script-kiddies out there. There are also some very nasty
and clever crackers.

Good luck,

Martin Lomas
martin at ml1.co.uk

More information about the Nottingham mailing list