Re: [fw-wiz] RE: Help. How to stop attacks on gateway/linux host.

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 12/13/04

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] How to Save The World" 
    To: Yesh Sriram <ysriram@elorasoftindia.com>
Date: Mon, 13 Dec 2004 09:20:00 -0500 (EST)

    On Mon, 13 Dec 2004, Yesh Sriram wrote:

    > For the last 6 months our DSL bills are extremely high. We examined our
    > logs and there is someone using the bandwidth from
    > our host every night. We can turnoff the machine but not sure if this is
    > the right solution.

    If it reduces your costs enough, then it's at least a step in the right
    direction.

    >
    > We have done the following (for the last three months)
    > - Change passwords every 3 days

    Changing passwords on an already compromised machine doesn't gain you much
    of anything. You must remove the compromised components or reinstall.

    > - Run only http, https, ssh
    > - Disable ftp

    Web servers are notorious for compromise, as is FTP, SSL and older SSH
    implementations- if your system wasn't up to date at some point, it's
    likely compromised. Chkrootkit is a good place to start.

    > But we still continue to see the nightly breaks into our host machine.
    > We have no Linux expertise except as developers.

    There are plenty of people who do have it, perhaps you should consider a
    consultant? There are likely to be experienced admins in your area who
    could spend an hour or so checking the system and cleaning it up. Look
    for a local Linux user's group.

    > We checked out firewall software price and it's expensive, and there is
    > no expert support available. Can someone

    There is *lots* of firewall software available, some is cheap, some isn't,
    and some is even free- but in your case, if you don't have the experience
    to deal with it, or the time, then you need to look at what the DSL is
    costing you, and decide if going with a commercial product makes sense.

    > suggest a fix for this. Even a policy fix/advice would be helpfull.

    Figure out what the traffic is, and where it's coming from process-wise,
    and clean up the system, or just back up your data, build a new system
    with all the patches and up to date software, then put your data on that.

    If you've got active content such as PHP, or other Web applications, look
    at them as a potential source of compromise is the rest of the system is
    up to date.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] How to Save The World"