Greetings,
I think your best bet is to run at least the minimal SL (actually
RedHat) firewall via iptables. To protect your self against brute force
attacks, I use ossec (http://www.ossec.net/). It is very good product
and works by analyzing log files so that it can not compromised via a
network attack.
Hope this helps,
doug
>
> Eduardo Bach wrote:
> > Hello Troy,
> >
> > Sorry, the last answer was a draft sent in error. Now is correct.
> >
> > Thank you for responding so promptly. Here are below the answers to your
> > questions:
> >
> > Troy Dawson escreveu:
> >
> >> Eduardo Bach wrote:
> >>
> >>> Hello to all,
> >>>
> >>> One of our servers was invaded. We just started the investigations,
> >>> but the main clue, plus some strange files copied and deleted, is
> >>> that sshd binary has changed. Its original size was ~313KB and moved
> >>> to 1.18Mb. His version was 3.9p1-11.e4_7. As we at the beginning of
> >>> investigations, I wonder if anyone had similar problem, or have any
> >>> clue on how the intruder may have entered?
> >>> Thanks in advance.
> >>>
> >>> Eduardo Bach
> >>>
> >> Hi,
> >> I'm not the best investigator of breakin's, so I am probubly not going
> >> to have an answer, but with the information you gave us, it could be
> >> anything. It could be someone got a password from somewhere, to
> >> apache running as root.
> >>
> >> So here is a couple of questions that might help get started.
> >>
> >> What version of linux was it running? If not linux, what OS was it
> >> running?
> >>
> >
> > Scientific Linux 4.6.
> >
> >
> >> What services did it have? Was it a web server, a database server, a
> >> desktop?
> >>
> >> How many users had access to the machine? Was it a server with only
> >> one user, or a general login machine?
> >>
> >> How could people login? ssh only? telnet? rsh?
> >>
> >> Did your average person have physical access to the machine?
> >>
> >
> > This server had only one service: sshd, and had no firewall. This was a
> > general machine machine login to just a few users (<20). When I wrote my
> > first email, suspected of a bug in ssh, but looking on the internet I
> > did not find any report to this version. Now I am thinking the
> > possibility that the hacker found the password of one of the users with
> > brute force, and explored some bug from there, inside of the system.
> > Finding that bug was exploited after the acquisition of the password is
> > not as important to me now, but make sure was this that he/she was able
> > to enter.
> >
> >
> >> Answers to those questions help track things down.
> >> Another thing most people do is take a snapshot of the disk, so your
> >> investigation doesn't mess up the evidence.
> >> Troy
> >>
> > A backup server is stand up, so we have time we need to identify what
> > happened.
> > Thanks again for your help.
> >
> > Eduardo Bach
> >
> >
> >
>
> It's also a good idea to change the ssh port to something other than the
> default; this will stop the "ssh-brute-force-crack" that has been
> plaguing the internet for as long as I can remember.
> See http://openssh.org/manual.html for specific instructions.
>
> Regards,
>
> Bruce Prewit
>
----------------------------------------------------------------------------
Doug Johnson email: [log in to unmask]
B390, Duane Physics (303)-492-4506 Office
Boulder, CO 80309 (303)-492-5119 FAX
http://www.aaccchildren.org
I talk to the wind, my words are all carried away
I talk to the wind, the wind does hear, the wind cannot hear.
----------------------------------------------------------------------------
|