Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: <>
From: Andreas Hallmann <hallmann@ahatec.de>
List: tech-pkg
Date: 01/12/2007 16:07:30
Hi,
once in this situation I put me compromised machine in an isolated
subnet, firewalled to only allow the functionality it was set up for. If
you are under pressure, this is a way to save time without feeling to
much uncomfortable. But this requires no data of private nature on this
machine.
Hmm cyrus account you said? Ok, think a mail server contains private
data. Moreover it's likely someone used a password there used elsewhere.
I would alert my users and force them to change passwords.
You can secure thinks by putting it into a subnet, no WAN access is
allowed for.
Since this box might be compromised, it should be isolated in a separate
network.
No sniffing can get something useful and any other attempt will bang
against a firewall.
You can set up a mail server, feeding it with LMTP. Moreover this is
your outgoing MTA.
Now you can restrict this network accept incomming LMTP transports and
answer incomming IMAP-requests. You can disallow traffic started from
your imap server. So this machine can't do any harm any more.
But still HE had some time to do something nasty, like fishing for
passwords. And therefore keep an eye on all of your machines.
For your enjoyment: If you like to know him better ... put him in a
chroot-jail and watch him trying.
A shell logging each command can be informative.
cheers AHA