Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RE: Help. How to stop attacks on gateway/linux host.

From: "Paul D. Robertson" <paul () compuwar net>
Date: Mon, 13 Dec 2004 09:20:00 -0500 (EST)
On Mon, 13 Dec 2004, Yesh Sriram wrote:


For the last 6 months our DSL bills are extremely high. We examined our
logs and there is someone using the bandwidth from
our host every night. We can turnoff the machine but not sure if this is
the right solution.


If it reduces your costs enough, then it's at least a step in the right
direction.



We have done the following (for the last three months)
- Change passwords every 3 days


Changing passwords on an already compromised machine doesn't gain you much
of anything.  You must remove the compromised components or reinstall.



- Run only http, https, ssh
- Disable ftp


Web servers are notorious for compromise, as is FTP, SSL and older SSH
implementations- if your system wasn't up to date at some point, it's
likely compromised.  Chkrootkit is a good place to start.


But we still continue to see the nightly breaks into our host machine.
We have no Linux expertise except as developers.


There are plenty of people who do have it, perhaps you should consider a
consultant?  There are likely to be experienced admins in your area who
could spend an hour or so checking the system and cleaning it up.  Look
for a local Linux user's group.


We checked out firewall software price and it's expensive, and there is
no expert support available. Can someone


There is *lots* of firewall software available, some is cheap, some isn't,
and some is even free- but in your case, if you don't have the experience
to deal with it, or the time, then you need to look at what the DSL is
costing you, and decide if going with a commercial product makes sense.


suggest a fix for this. Even a policy fix/advice would be helpfull.


Figure out what the traffic is, and where it's coming from process-wise,
and clean up the system, or just back up your data, build a new system
with all the patches and up to date software, then put your data on that.

If you've got active content such as PHP, or other Web applications, look
at them as a potential source of compromise is the rest of the system is
up to date.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: