[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Security Problems
- Subject: RE: [cobalt-users] Security Problems
- From: Elmer Fuddpucker <elmer@xxxxxxxxxxxxxx>
- Date: Sat Jun 30 10:29:03 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Sat, 30 Jun 2001, DJ Busch wrote:
} I've downloaded and installed it, but I'm not exactly sure what to watch
} for.
Watch for connections from your server to other servers. If you
installed it you now have the ability to see all inbound and
outbound connections in real time. With the exception of SMTP
connections for sending mail and DNS queries, your server has
little, if any reason to connect to other servers. Thus, for
example, if you are seeing
-- your server
|
-- someone else's server: 111
You are probably watching a scan in progress.
The situation is that IP addresses and domain names are
easily spoofed. Thus the scans that are being reported as
originating from your server may or may not be originating from it.
The server, however, need not be compromised in order to be used for
scanning other servers. A user can easily and quickly install the
functionality in their account.
Thus, the first step is to determine if the scans are indeed
originating from your server. iptraf is a great tool for doing just
that. You might have to find someone that knows more about this than
you do to determine if scans are originating from your server. But,
for the most part, if you know the scan type or simply watch for
outbound connections to ports that your server has little, if any
reason to try and conntect to, you should be able to tell quite
easily.
If you don't know enough to proceed, use the logging
function to record the IP traffic for, say, an hour or so, then
perhaps get your ISP's help desk crew to take a peek at the
resulting file for you.
brent
Elmer Fuddpucker's WWW Directory
http://www.fuddpucker.com/