Re: Debian Investigation Report after Server Compromises
On Fri, 05 Dec 2003 16:28:06 -0800, Vineet Kumar wrote:
> * Paul Morgan (email@example.com) [031205 14:24]:
>> On Thu, 04 Dec 2003 18:05:15 -0800, Vineet Kumar wrote:
>> > * Paul Morgan (firstname.lastname@example.org) [031204 12:32]:
>> >> I have all services locked down to localhost; my only connections to
>> >> the outside world are mail, news via nntpcached, web via squid... I run
>> >> Apache but it too is locked down to localhost. My mail is run through my
>> > this ...
>> >> ISP's (earthlink's) virus and spam filters before I get it (otherwise I'd
>> >> be getting like 10 Svens per day). I do see, from time to time, Apache
>> >> refusing connections attempts which are generally attacks by Windoze worms.
>> > ... and this do not add up. Methinks your apache is not "locked down to
>> > localhost."
>> 188.8.131.52 - - [03/Dec/2003:08:52:40 -0500] "GET
>> /.hash=0df2df7b5aeac6aabb9ad2e00c0d150f831fffff HTTP/1.1" 403 322 "-" "-"
>> [Wed Dec 3 08:52:40 2003] [error] [client 184.108.40.206] client denied by server configuration: /var/www/.hash=0df2df7b5aeac6aabb9ad2e00c0d150f831fffff
> That's fine. I just wouldn't consider it "locked down to localhost" if
> it's listening on any external interface. I'd use the Listen directive
> to have it bind to only 127.0.0.1:80 (and additionally use iptables to
> block incoming access). Relying on the server's configuration alone to
> reject incoming connections is subject to break if the server is broken.
> If it only ever bound to 127.0.0.1, any attempts to connect to an
> external address will get RST from TCP before apache ever knows anything
> about it.
> good times,
I appreciate the advice, but I've left it like that out of a somewhat
perverse interest in seeing what shows up. I have had some success in
getting a couple of people booted off their ISPs. Nice to do a tiny bit
of fighting back :)
"The number of UNIX installations has grown to 10, with more expected."
(The UNIX Programmer's Manual, 2nd Edition, June 1972)