[Techtalk] Re: Server was hacked into; looking for tips on how to secure it

Raven Alder raven at oneeyedcrow.net
Wed Mar 5 14:25:24 EST 2003 

Heya --

Quoth jennyw (Mon, Mar 03, 2003 at 02:56:09PM -0800):
> Me, too. Finally got my mail server up at least!  Having e-mail queue
> up at an ISP's mailbox is not so much fun when one gets 1000+ messages
> a day from mailing lists, but now mail has been restored to the new
> server and procmail is churning away.

	A thousand messages a day?  I thought I was bad -- I get maybe
200 on an average day.  Lots more when Something Bad happens to the
Internet.
 
> > Out of curiosity, are you running stable, unstable, testing, or
> > what?
> 
> Interesting. I'm using Debian stable and get the security updates
> regularly. I guess they might have let this one slip? Or not -- it's
> hard to tell without bringing the box back up (still waiting for the
> others involved in this to tell me whether they want the disk drive as
> evidence for a court case; did I mention the whole story earlier?).

	My Debian boxes run unstable for this very reason -- there are
times when the version of a package available in the stable tree is one
that I know doesn't have the new feature that I desperately need, or has
a security hole that I know has been patched in a newer version of the
same package.  I'm not sure exactly how the Debian maintainers determine
what goes in what branch where, but I find that unstable suits what I
want to do better.  (And I haven't had any horrible system stability
problems yet... and now that I've said that I have probably cursed
myself to incredible bouncing daemons and such...)

	Any other debianites out there care to share your reasons for
choosing a given branch for your systems?  I'm curious now as to what
other people run and why.
 
> Yep, I know. I thought apt-get dist-upgrade would work for that, but
> now I'll be more vigilant. Of course, I'll feel even more vulnerable
> if it turns out that I did have the latest patches -- it's a lot nicer
> when you know how they did whatever they did.

	The joy of 0-day exploits.  Yeah. 
 
> By the way, even if I chroot the server, if it was compromised, could
> it still send spam through 127.0.0.1?  Is there a way to control this
> through a firewall or postfix?

	The server would likely still accept mail on the loopback
interface -- local agents send mail that way and all.  Controlling where
it sends mail is probably more complex, though.  If it can send mail to
people you want to mail, it can mail people you don't want to mail also.
I'm sure there is some way to control who and what it mails, though.
Perhaps people who are more mail-server-guru than me have ideas for
appropriate filtering mechanisms?

Cheers,
Raven
 
"One more day of work and you should be ready for testing here."
"Uh.  Testing.  Right.  Of course."
  -- nervous-making conversation from consulting
_______________________________________________
Techtalk mailing list
Techtalk at linuxchix.org
http://mailman.linuxchix.org/mailman/listinfo/techtalk

More information about the Techtalk mailing list