Re: Debian Stable server hacked
A few thoughts on potenital problems:
Thijs Welman wrote:
Unfortunately i don't have the resources to get an IDS system up and
running...
A bare-bones IDS isn't all thet extreme to build, especially if you are
only interested in a single network. Debian stable + snort source
package from unstable might be your best bet...
regards and tia,
Thijs Welman
Delft University of Technology
the Netherlands
-----
[0] My server is running Debian stable with:
- linux-2.4.21-ac4 custom compiled kernel without LKM-support
- sshd
- apache
- apache-ssl
- php4
- smbd/nmbd (firewalled at the university network border)
NOTE: Ok, firewalled at the network border, but could poorly-secured
internal windows machines have been used as a springboard for an attack?
The same goes for the below services, are you sure that all the machines
and people on the same side of the firewall are completely trustworthy?
This is a big hole if you're only firewalling at the border of your
campus network, and have a wide variety of machines out there...
- postfix (not accessible from outside)
- bind9 (not accessible from outside)
- mysql (firewalled)
- proftpd (firewalled)
- snmpd (firewalled)
- amanda-client from inetd (firewalled)
All packages are unmodified releases from Debian stable and, yes, i do
update packes from security.debian.org as soon as there are any updates. :)
Was anyone else logged in at the time? Perhaps one of your admins had a
weak or compromised password?
--Rich
_________________________________________________________
Rich Puhek
ETN Systems Inc.
2125 1st Ave East
Hibbing MN 55746
tel: 218.262.1130
email: rpuhek@etnsystems.com
_________________________________________________________
Reply to: