[ale] Linux Firewall

Jacob Langseth jlangseth at vodavi-ct.com
Thu Apr 8 13:56:17 EDT 1999 

> Well it appears that we have been hacked again, with someone setting up
> users with root privilege, no damage has been done thankfully but it is
> a little disconcerting. This time there is no clear indication of how
> they got in. Should I disable anonymous ftp? Has anyone else experienced
> anything like this or have any suggestions, we are planning an upgrade
> to 5.2 soon.

Regarding compromise of your firewall,

Once the system has been compromised, a complete reinstallation
is absolutely MANDATORY, unless you happen to have md5 checksums
of every binary, kernel image and module on the system on a seperate
read only floppy.  There are simply too many ways for the intruder(s) to
leave themselves back doors to expect to catch them all.

My advice would be to take another system (could even be on much
more modest hardware if that is all that is available), install either the
latest version of redhat, or since this is a server, ideally debian,
migrate over the customer information, mail spool files, etc, and bring
the box up in its place.  Leave the old system on line for a little while
(with EVERY service turned off, cron jobs flushed, dialups unplugged,
etc) so that the outgoing mail queue may finish flushing, and then turn
it off for good.  If you had to go with modest hardware to procure the
replacement, now would be a good time to place the new drive in the
original hardware, completing the replacement of the server.

Be sure to ONLY use encrypted connections to the new server or log
in at the console, as the compromised system is sure to have a sniffer
on it.  Change the passwords on your routers (from the console) before
bringing the new system on line as well.  I worked on an incident once
where I spent about 12 hours banging my head against the wall trying to
figure out why my new server couldn't talk to the outside net...  Turned out
the person had been dialed into the network while I was working on the
replacement, and had hard coded an arp entry in the cisco in an attempt
to force me to keep the compromised system online.  Learned several
things that day, I did.

--	     	   	   	       		    	  		 
Jacob Langseth  	      
Vodavi-CT, Inc.		<jlangseth at vodavi-ct.com>

More information about the Ale mailing list