Re: Debian Investigation Report after Server Compromises

To: debian-user@lists.debian.org
Subject: Re: Debian Investigation Report after Server Compromises
From: Paul Morgan <paulswm@earthlink.net>
Date: Fri, 05 Dec 2003 19:38:16 -0500
Message-id: <[🔎] pan.2003.12.06.00.38.13.301606@earthlink.net>
References: <[🔎] 5.2.1.1.0.20031203101423.032cde10@mail.gain.com> <[🔎] 1070491001.23269.7.camel@Thief> <[🔎] slrnbssr2f.h55.spam@home.bounceswoosh.org> <[🔎] 20031204015230.GA24722@doorstop.net> <[🔎] 878ylt19h1.wl@acamar.localhost.invalid> <[🔎] pan.2003.12.04.20.08.21.407271@earthlink.net> <[🔎] 20031205020515.GC27171@doorstop.net> <[🔎] pan.2003.12.05.21.57.25.580528@earthlink.net> <[🔎] 20031206002806.GB28162@doorstop.net>

On Fri, 05 Dec 2003 16:28:06 -0800, Vineet Kumar wrote:

> * Paul Morgan (paulswm@earthlink.net) [031205 14:24]:
>> On Thu, 04 Dec 2003 18:05:15 -0800, Vineet Kumar wrote:
>> 
>> > * Paul Morgan (paulswm@earthlink.net) [031204 12:32]:
>> >> I have all services locked down to localhost; my only connections to
>> >> the outside world are mail, news via nntpcached, web via squid... I run
>> >> Apache but it too is locked down to localhost.  My mail is run through my
>> >  
>> > this ...
>> > 
>> >> ISP's (earthlink's) virus and spam filters before I get it (otherwise I'd
>> >> be getting like 10 Svens per day). I do see, from time to time, Apache
>> >> refusing connections attempts which are generally attacks by Windoze worms.
>> >   
>> > ... and this do not add up.  Methinks your apache is not "locked down to
>> > localhost."
>> > 
>> 
>> 150.140.128.174 - - [03/Dec/2003:08:52:40 -0500] "GET
>> /.hash=0df2df7b5aeac6aabb9ad2e00c0d150f831fffff HTTP/1.1" 403 322 "-" "-"
>> 
>> [Wed Dec  3 08:52:40 2003] [error] [client 150.140.128.174] client denied by server configuration: /var/www/.hash=0df2df7b5aeac6aabb9ad2e00c0d150f831fffff
> 
> That's fine.  I just wouldn't consider it "locked down to localhost" if
> it's listening on any external interface.  I'd use the Listen directive
> to have it bind to only 127.0.0.1:80 (and additionally use iptables to
> block incoming access).  Relying on the server's configuration alone to
> reject incoming connections is subject to break if the server is broken.
> If it only ever bound to 127.0.0.1, any attempts to connect to an
> external address will get RST from TCP before apache ever knows anything
> about it.
> 
> good times,
> Vineet
> -- 

I appreciate the advice, but I've left it like that out of a somewhat
perverse interest in seeing what shows up.  I have had some success in
getting a couple of people booted off their ISPs.  Nice to do a tiny bit
of fighting back :)

-- 
....................paul

"The number of UNIX installations has grown to 10, with more expected."
(The UNIX Programmer's Manual, 2nd Edition, June 1972)

Reply to:

References:
- Re: Debian Investigation Report after Server Compromises
  - From: "Dr. MacQuigg" <macquigg@ece.arizona.edu>
- Re: Debian Investigation Report after Server Compromises
  - From: Alex Malinovich <demonbane@the-love-shack.net>
- Re: Debian Investigation Report after Server Compromises
  - From: "Monique Y. Herman" <spam@bounceswoosh.org>
- Re: Debian Investigation Report after Server Compromises
  - From: Vineet Kumar <vineet@doorstop.net>
- Re: Debian Investigation Report after Server Compromises
  - From: csj <csj@zapo.net>
- Re: Debian Investigation Report after Server Compromises
  - From: Paul Morgan <paulswm@earthlink.net>
- Re: Debian Investigation Report after Server Compromises
  - From: Vineet Kumar <vineet@doorstop.net>
- Re: Debian Investigation Report after Server Compromises
  - From: Paul Morgan <paulswm@earthlink.net>
- Re: Debian Investigation Report after Server Compromises
  - From: Vineet Kumar <vineet@doorstop.net>

Prev by Date: Re: Where to get the new installer?
Next by Date: Re: No need for 2.4.23 (re compromise)
Previous by thread: Re: Debian Investigation Report after Server Compromises
Next by thread: Earthlink and Swen
Index(es):
- Date
- Thread