pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?



Hi,
once in this situation I put me compromised machine in an isolated subnet, firewalled to only allow the functionality it was set up for. If you are under pressure, this is a way to save time without feeling to much uncomfortable. But this requires no data of private nature on this machine. Hmm cyrus account you said? Ok, think a mail server contains private data. Moreover it's likely someone used a password there used elsewhere. I would alert my users and force them to change passwords.

You can secure thinks by putting it into a subnet, no WAN access is allowed for. Since this box might be compromised, it should be isolated in a separate network. No sniffing can get something useful and any other attempt will bang against a firewall. You can set up a mail server, feeding it with LMTP. Moreover this is your outgoing MTA.


Now you can restrict this network accept incomming LMTP transports and answer incomming IMAP-requests. You can disallow traffic started from your imap server. So this machine can't do any harm any more.

But still HE had some time to do something nasty, like fishing for passwords. And therefore keep an eye on all of your machines.

For your enjoyment: If you like to know him better ... put him in a chroot-jail and watch him trying.
A shell logging each command can be informative.

cheers AHA



Home | Main Index | Thread Index | Old Index