Jayson Vantuyl wrote:
This has been a hit on about seven different machines with vastly different configurations (some missing everything but SSH) and all firewalled down to the minimum.
I did not reread the whole thread, so sorry if I'm asking silly questions, but perhaps it's not a security issue, but a policy issue:
- Have you ever checked your password policies? Are there weak passwords around that the hacker might use to log in? Or has he / she in any way managed to get a password in some way?
- Have all passwords of user accounts been changed since the break ins?- You say, that you're running imap on the server. Can the imap users log onto the machine or are these accounts completely seperated from the system accounts? If no, it might be, that the hacker is sniffing the imap passwords and using them to log onto your machines.
And last but not least: Is the firewall seperated from the servers or running ON the servers. It's a good advice to lock down the machines locally using iptables, but I think that doesn't save you a dedicated firewall. Might be a Debian GNU/Linux or BSD box or even something commercial.
Regards Marcel