Several good suggestions Re: Help. My system cracked and used to spam
Hi Chris, Paul and Pierre
Chris suggests:
>Well, one option is to use a crossover cable between the two machines in
>question. Another would be to reboot into single user mode, so things
>like exim won't get started. Can't remember if you get networking on by
>default in single user mode, but /etc/init.d/networking start should do
>the trick if it isn't.
David >> I still need references to do some reading
Chris
>A good first step would be to use one of the online services that test
>whether you are an open relay. Try googling on open relay test, or
>search the list archives, it's definitely come up before. If you are an
>open relay, shut down exim and test again. If that fixes it, then you
>know that you have an exim config problem, and you can go from there.
Paul suggests upgrading to Woody. Woody? On a 486/66? I would do
it, mostly for the experience of upgrading. However, I have a substantially
faster machine in hand to replace it. I will put Debian Sarge on that
machine
and keep it up to date.
He also suggests keeping the system security update current, but points out
that this only protects me from bugs, not configuration errors. He suggests
a firewall and not installing anything I don't need. What about
installing --
is it wrappers? to hide the ports I'm not using?
Pierre suggests a free intruder detection test.
http://www.pallix.ca/freesecuritytest.html
and offers further personal help towards finding the miscreants.
Thanks Paul, Pierre and Chris.
Continuing the saga:
A crossover cable won't help until the I disable the spam forwarding
because the machine is too slow to use with that running. This could
be done by hacking scripts (OK only because I'm going to wipe and
reinstall, but better by booting into single user mode with networking
enabled.
Many thanks. I have some information and some pointers to more. This
is one of the many things that make Debian the best.
David Teague
Debian -- because the technical support is free, fast, and accurate.
And I can get answers beyond the level of beginner.
--- Original Message -----
From: "Paul Smith" <pausmith@nortelnetworks.com>
To: "David Teague" <teague@jackson.main.nc.us>
Cc: <debian-user@lists.debian.org>
Sent: Friday, August 09, 2002 12:24 AM
Subject: Re: Help. My system cracked and used to spam
> %% "David Teague" <teague@jackson.main.nc.us> writes:
>
> dt> It is a stock 2.0 install from CDs with Exim installed and setup
> dt> by the scripts. Nothing particular was done to prevent entry.
> dt> What does "Properly locked down" mean?
>
> Ouch. First and foremost, it means that you've applied all security
> updates. I'm sure there are a number of security holes, some maybe
> well-known, in a system that old with no security updates installed.
> Go to http://debian.org and take a look at the number of security holes
> plugged in just the last month... and 2.0 is years old.
>
> It doesn't have to be an error in your configuration; there are bugs in
> the software that can let crackers through even if your configuration is
> correct.
>
> Note that Debian 2.0 old enough that no more security updates are being
> generated for it, so you want to install a newer version of Debian which
> is still supported. At this point you probably want Woody (since we
> don't know exactly how much longer Potato will be supported).
>
> Then, you should add the security updates site to your .deb sources (the
> Woody install asks if you want to do this--say yes!) Optionally you can
> install software that will automatically download security updates and
> notify you about them.
>
> Also, you should subscribe to the debian-security mailing list so you
> get notified when security holes are fixed.
>
> And finally, you should install the security updates as soon as possible
> after they're released.
>
> That's just to protect yourself from bugs in software. It doesn't
> discuss what "bugs" you may have in your configuration of the software
> that could let crackers in. In general the rule is (a) don't install or
> enable any software, especially network software, on your system you
> don't need, and (b) use a firewall of some kind to restrict access to
> your network or system except on the specific ports which require it.
> We can't know what those are unless we know what services you need to
> provide from the server.
>
> --
> --------------------------------------------------------------------------
-----
> Paul D. Smith <pausmith@nortelnetworks.com> HASMAT--HA Software Mthds &
Tools
> "Please remain calm...I may be mad, but I am a professional." --Mad
Scientist
> --------------------------------------------------------------------------
-----
> These are my opinions---Nortel Networks takes no responsibility for
them.
>
Reply to: