[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] RaQ3 log files and system upgrades

Subject: Re: [cobalt-users] RaQ3 log files and system upgrades
From: "Michael Zimmermann" <zim@xxxxxxxx>
Date: Sat Jul 15 03:57:53 2000

From: M Fryer <mfryer@xxxxxxxxxx>

Hi,

I apreciate your concern to secure your Cobalt.
If everyone would do it, we wouldn't see that
mass-probing (as seems to go on lately).

But you have to dig into the the problems
yourself. There is no easy answer in this area
(short of hiring an admin to do the job for you).

Look into the archives of the cobalt_secutity
mailing list, for example. Have a look at
securityfocus.com. And make your hands dirty.

> 1) Which log files do you recommend we keep a close eye on to catch
> tampering by hackers/pranksters?

Install logcheck or similiar.

> We currently review the web.log each week? Any others helpful?

ONE WEEK? You give an intruder one full week to play
with your server? It won't be your server any longer after
half an hour.

> 2) BTW, we sent this question to Cobalt like a week ago and still no
answer.
> Our machine has:
> Cobalt OS Release 5.0
> RaQ3-Security Release 1.2
> RaQ3-SecurityRelease 2.2
> RaQ3E-Update-OS Release 2.0

Given your configuration it's a matter of hours (at most) to break
into your machine with one of the published exploits.
Any script teeny can do it in less than 30 minutes
(including securing the system and cleaning up the logs
and installing all kinds of backdoors).

That's like posting "the keys are in the flower pot beside the entrance".

Secure your workstation, from which you are
doing all your admin work. If it's a Windowz,
install a firewall (easiest is ZoneAlarm).

Install Openssh and disable telnet.

Change admin and root passwords.

Install OS update 3.0

Install qpopper 3.02 and the newest proftp

Install a logchecker which will mail you suspicious activities
(perfereable to an account, which will send a message to you
beeper or handy, as soon as a new mail arrives) and to an email
account which is not on the same server.

Install and setup portsentry or similiar

Install and setup tripwire or similar.

Do it NOW, you have the full weekend time. :o)

And don't go online with any new machine in
the future, before having done all that.
It would be like going down to the streets in the
morning with your trousers around the ankles.


Mike

References:
- [cobalt-users] RaQ3 log files and system upgrades
  - From: M Fryer

Prev by Date: Re: [cobalt-users] Mail Fwding Problem (RaQ2)
Next by Date: [cobalt-users] RAQ2 - full access to the filetree
Previous by thread: Re: [cobalt-users] RaQ3 log files and system upgrades
Next by thread: [cobalt-users] perl update to 5.005

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index