[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Stable server hacked

A few thoughts on potenital problems:

Thijs Welman wrote:

Unfortunately i don't have the resources to get an IDS system up and

A bare-bones IDS isn't all thet extreme to build, especially if you are only interested in a single network. Debian stable + snort source package from unstable might be your best bet...

regards and tia,

Thijs Welman
Delft University of Technology
the Netherlands
[0] My server is running Debian stable with:
- linux-2.4.21-ac4 custom compiled kernel without LKM-support
- sshd
- apache
- apache-ssl
- php4
- smbd/nmbd (firewalled at the university network border)

NOTE: Ok, firewalled at the network border, but could poorly-secured internal windows machines have been used as a springboard for an attack?

The same goes for the below services, are you sure that all the machines and people on the same side of the firewall are completely trustworthy? This is a big hole if you're only firewalling at the border of your campus network, and have a wide variety of machines out there...

- postfix (not accessible from outside)
- bind9 (not accessible from outside)
- mysql (firewalled)
- proftpd (firewalled)
- snmpd (firewalled)
- amanda-client from inetd (firewalled)

All packages are unmodified releases from Debian stable and, yes, i do
update packes from security.debian.org as soon as there are any updates. :)

Was anyone else logged in at the time? Perhaps one of your admins had a weak or compromised password?



Rich Puhek
ETN Systems Inc.
2125 1st Ave East
Hibbing MN 55746

tel:   218.262.1130
email: rpuhek@etnsystems.com

Reply to: