configure Portsentry on Cobalt RAQ550 to keep out hackers

Hello --

I am not a Linux person. My client asked if I could help him configure
Portsentry on a Cobalt RAQ550 to keep out hackers.

As I understand the situation, for a couple of weeks, hackers have been
getting into the system and sending spam.

Is this something I could fix by corresponding with this group? If so, what
information should I gather?

If not, is it feasible to contract with someone in the group so that I can
be on the phone with the expert to walk me through fixing it at the client
site?

Thanks for any input.

Larry Mehl
mehl@cyvest.com


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.498 / Virus Database: 297 - Release Date: 7/8/2003

In comp.os.linux.security L Mehl <mehl@cyvest.com> wrote:
> Hello --

> I am not a Linux person. My client asked if I could help him configure
> Portsentry on a Cobalt RAQ550 to keep out hackers.

> As I understand the situation, for a couple of weeks, hackers have been
> getting into the system and sending spam.

> Is this something I could fix by corresponding with this group? If so, what
> information should I gather?

> If not, is it feasible to contract with someone in the group so that I can
> be on the phone with the expert to walk me through fixing it at the client
> site?

Portsentry is probably the wrong tool for the job. Sun/Cobalt RAQ550s
run Linux. The first think to do is disable unecessary services, and
limit the administrative web (do they still use a webserver on port 81)
and ssh to a few specific administrator workstations (using IPChains and/or
IPTables, and/or TCP Wrappers (for ssh that's linked against libwrap).

You'd be far better off subcontracting this to a qualified Linux
consultant than trying to go it alone based just on snippets of advice
from people in this newsgroup. None of us is going to know the full
situation there based on what you're going to say publicly in the newsgroup.

If I was taking on this job I'd have you ssh into the box, create a dummy
account (with me on the phone), have me ssh in to that, install screen
if it wasn't there already and they we'd share a multi-user screen session
to look at the configuration, edit the necessary files, etc. I'd have you
on the phone the whole time explaining everything as I went.

That way I'd never have unattended, privileged access to the system (I
wouldn't see any passwords that you typed in our screen session and you
could lock out my guest account as soon as I was done.

I'd done this for various customers, including Linuxcare customers when
I worked for them. I've also done some mentoring via shared screen session.

I'm working with a couple of older RAQ3i's for one of my customers in other
windows as I type this.

> Thanks for any input.

> Larry Mehl
> mehl@cyvest.com

--
Jim Dennis,
Starshine: Signed, Sealed, Delivered

On Thu, 17 Jul 2003 23:10:35 +0000, L Mehl wrote:

> I am not a Linux person. My client asked if I could help him configure
> Portsentry on a Cobalt RAQ550 to keep out hackers.
>
> As I understand the situation, for a couple of weeks, hackers have been
> getting into the system and sending spam.

Whoever ends up dealing with the problem, here are the first things
they'll need to know:

1) How have the hackers been using the system? Are they able to log
into it? Is it mis-configured so that anyone on the Internet can
send e-mail through it? (This is called an "open relay".)

2) If the hackers are able to log in, then have they managed to access
the root account? (If so, then the problem is WAY more serious; they
could have planted all kinds of carefully concealed dirty tricks within
the system software. The proper cure is to make a full backup, then
wipe the hard drive, then re-install the operating system from source
media that the hackers couldn't possibly have affected, then restore
ONLY non-executable files.)

Thanks Ed.

Larry

"Ed Murphy" <emurphy42@socal.rr.com> wrote in message
news:pan.2003.07.18.09.07.44.367316@socal.rr.com.. .
> On Thu, 17 Jul 2003 23:10:35 +0000, L Mehl wrote:
>
> > I am not a Linux person. My client asked if I could help him configure
> > Portsentry on a Cobalt RAQ550 to keep out hackers.
> >
> > As I understand the situation, for a couple of weeks, hackers have been
> > getting into the system and sending spam.
>
> Whoever ends up dealing with the problem, here are the first things
> they'll need to know:
>
> 1) How have the hackers been using the system? Are they able to log
> into it? Is it mis-configured so that anyone on the Internet can
> send e-mail through it? (This is called an "open relay".)
>
> 2) If the hackers are able to log in, then have they managed to access
> the root account? (If so, then the problem is WAY more serious; they
> could have planted all kinds of carefully concealed dirty tricks within
> the system software. The proper cure is to make a full backup, then
> wipe the hard drive, then re-install the operating system from source
> media that the hackers couldn't possibly have affected, then restore
> ONLY non-executable files.)
>


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.507 / Virus Database: 304 - Release Date: 8/4/2003