Just an FYI. You will find that your site(s) is(are) being attacked constantly. This is not due to any misconfiguration on your part but just a fact of life when you connect a PC to the internet. One of the best things you can do is run security checks on your systems. Take a look at nessus. You should be aware that nessus reports should be read thoroughly as many issues tend to get repeated and the severity of some items I have found to be suspect. Nessus shoots for a high paranoia level, which is good. Better to consider a problem a hole and find out later that it's a minor issue than the other way around. I recommend you run the tests from a local subnet and from a remote location. You may grant access to some things locally but not allow them from remote systems, DNS comes to mind. You may want to take a peak at snort, though be aware that NIDS tend to take a fair amount of care and feeding for them to work properly. I find kidiots throwing MS attacks at my linux web servers all the time. Port scans are very common also. Just keep your firewalls buttoned up and givem a big raspberry. -----Original Message----- From: John Summerfield [mailto:summer@os2.ami.com.au] Sent: Thursday, May 16, 2002 12:59 PM To: redhat-devel-list@redhat.com Subject: Re: Crackers? > John Summerfield (summer@os2.ami.com.au) said: > > Is this being broken into? If so, what do I look for? > > This is one line. There were quite a few. > > May 6 03:22:36 gateway SERVER[5344]: Dispatch_input: bad request line > > This is someone trying to break into LPRng, as I recall - I believe > if you get the log message, you're OK. ;) I'm hoping there are more ideas.... Better too many than too few in these circumstances. I went digging on Google after I wrote. I discovered lots of attempts reported of people trying to hit dump() and some nfs(). There was also a mention of someone breaking into the IMAP service, and that is a worry because a) The boss wants to get his mail from outside b) There was a report from the ISP of the site being unfriendly with the mail it was sending. I don't know the specifics though. I could not find any evidence of residual harm, and the fact we have the log messages suggest either a beginner or a failure. I used RPM to validate the installed packages: rpm -Va, and saw nothing especially odd (paying special attention to the ls command), and find to find unexpected executables. I applied what updates I had (I'm getting the latest now), force-reinstalled rpm, and rechecked. I was going to check using Bero's Enigma rescue CD, but it's got the wrong version of rpm on it. Oh, the system has webmin on it; I updated that to the latest I have, found there's a security update on that and got the latest there is and installed that, and tightened it up so you can't try guessing passwords indefinitely. -- Cheers John Summerfield Microsoft's most solid OS: http://www.geocities.com/rcwoolley/ Note: mail delivered to me is deemed to be intended for me, for my disposition. ============================== If you don't like being told you're wrong, be right! _______________________________________________ Redhat-devel-list mailing list Redhat-devel-list@redhat.com https://listman.redhat.com/mailman/listinfo/redhat-devel-list _______________________________________________ Redhat-devel-list mailing list Redhat-devel-list@redhat.com https://listman.redhat.com/mailman/listinfo/redhat-devel-list
