Firewall Wizards mailing list archives
Re: RE: Help. How to stop attacks on gateway/linux host.
From: "Paul D. Robertson" <paul () compuwar net>
Date: Mon, 13 Dec 2004 09:20:00 -0500 (EST)
On Mon, 13 Dec 2004, Yesh Sriram wrote:
For the last 6 months our DSL bills are extremely high. We examined our logs and there is someone using the bandwidth from our host every night. We can turnoff the machine but not sure if this is the right solution.
If it reduces your costs enough, then it's at least a step in the right direction.
We have done the following (for the last three months) - Change passwords every 3 days
Changing passwords on an already compromised machine doesn't gain you much of anything. You must remove the compromised components or reinstall.
- Run only http, https, ssh - Disable ftp
Web servers are notorious for compromise, as is FTP, SSL and older SSH implementations- if your system wasn't up to date at some point, it's likely compromised. Chkrootkit is a good place to start.
But we still continue to see the nightly breaks into our host machine. We have no Linux expertise except as developers.
There are plenty of people who do have it, perhaps you should consider a consultant? There are likely to be experienced admins in your area who could spend an hour or so checking the system and cleaning it up. Look for a local Linux user's group.
We checked out firewall software price and it's expensive, and there is no expert support available. Can someone
There is *lots* of firewall software available, some is cheap, some isn't, and some is even free- but in your case, if you don't have the experience to deal with it, or the time, then you need to look at what the DSL is costing you, and decide if going with a commercial product makes sense.
suggest a fix for this. Even a policy fix/advice would be helpfull.
Figure out what the traffic is, and where it's coming from process-wise, and clean up the system, or just back up your data, build a new system with all the patches and up to date software, then put your data on that. If you've got active content such as PHP, or other Web applications, look at them as a potential source of compromise is the rest of the system is up to date. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Help. How to stop attacks on gateway/linux host. Yesh Sriram (Dec 13)
- Re: RE: Help. How to stop attacks on gateway/linux host. Paul D. Robertson (Dec 13)
- Re: RE: Help. How to stop attacks on gateway/linux host. Devdas Bhagat (Dec 13)