[luau] Looking for help on attempted cracking....

tom_gordon at notes.k12.hi.us tom_gordon at notes.k12.hi.us
Mon Oct 13 08:07:01 PDT 2003 

By the way you worded "log entries where the firewall is blocking various IPs when 
certain rules are matched.", it sounds like your default rule is not deny.

It is best to deny all and then allow specific traffic.  Or selse, you may 
not be blocking things you didn't know were there to blockin the first 
place.

Tom



Please respond to luau at videl.ics.hawaii.edu
Sent by:        luau-admin at videl.ics.hawaii.edu
To:     luau at videl.ics.hawaii.edu
cc: 
Subject:        Re: [luau] Looking for help on attempted cracking....

Vince,

                 SSH is closed on the firewall, although it is running on 
my box. As far as 
keeping my box updated goes, I regularly run up2date among other things. 
While I realize that that may not cover everything, so far it has served 
me 
well (until now that is...) 

                 I'll work on a better way to verify that my firewall 
script is working. 
Typically, I check the boot logs to make sure that it loads when I do 
boot, 
and I am seeing log entries where the firewall is blocking various IPs 
when 
certain rules are matched.  From that I gather that the firewall is 
working, 
but as you can see here, it appears that on at least this occasion, it did 

not stop a connction to my ftp directory that it should have. 

                 Reinstall coming very soon....

Thanks,

Ben 



 

On Sunday 12 October 2003 09:09 am, you wrote:
> On Sat, Oct 11, 2003 at 09:47:35PM -1000, Ben Beeson wrote:
> >  1) How did the cracker get past the firewall?
>
> Is SSH open and unpatched? I bet it is.
>
> >  2) Does this represent a hole that can be plugged?
>
> You can plug it up, but there are no guarantees a backdoor was
> not left behind.
>
> >  3) What else should I check or do to make sure that I'm not
> > "owned" by someone but me?
>
> Completely reinstall your system, installing only what you know
> you need.
>
> Update all your packages.
>
> >  4) How can I keep this person out in the future?
>
> Keep your system updated.
>
> Read up on file integrity scanners. Audit your filesystem regularly.
>
> How do you know the firewall script worked? Do not just run a
> script and expect it to work the way your think it supoosed to
> work. Verify.
>
> -Vince
> _______________________________________________
> LUAU mailing list
> LUAU at videl.ics.hawaii.edu
> http://videl.ics.hawaii.edu/mailman/listinfo/luau
_______________________________________________
LUAU mailing list
LUAU at videl.ics.hawaii.edu
http://videl.ics.hawaii.edu/mailman/listinfo/luau

More information about the LUAU mailing list