[NCLUG] Securing ftpd
dobbster
dobbster at dobbster.com
Tue Mar 20 13:39:23 MST 2001
> There /are/ Windows ports of SSH/SCP but they are usually console-only
> apps. Windows users typically shudder at the thought of trying to find
> a file a send it using a command prompt.
> If your users are enlightened, you might look into PuTTY, or Cygwin. I
> believe they both provide SCP. If not, you can always shell out the
> money to F-Secure...
> I think you can find suggestions at http://www.openssh.com/windows.html
I figured there might be things like that out there. I know my users
won't like them, but they may have to deal with them...
> > Second: My security logs show the same hacker trying to get into two
> > different machines on completely different networks. The only thing
> > relating these two machines is a nightly rsync using ssh. How would
> the
> > hacker know about this?
>
> (mdwyer's ears perk up) Really? Cool!
>
> To answer the question, the hacker could be upstream of you, and
> watching your SSH packets go by. The hacker could already be on
> your system, and checked the crontabs to see that rsync runs nightly.
> Lastly, the hacker could have used an automated scan that happened
> across both of them, and he isn't actually aware of the connection
> between the two.
>
> What do your security logs show? What kind of attack is this?
I dread the thought that they're already in. I've tried to be careful,
but...
Both systems are technically within FRII. One is colocated at their
office and the other is in my basement, connected to my DSL network.
They both start with 216.17., although this is class C and the subnet
mask is 255.255.255.248. Would this make a difference? Comparing the
logs of both systems, I see that a lot of people who "visit" one machine
tend to "visit" the other.
They try the usual stuff - Hitting port 111, 143 and 1080 (which are all
closed) telnet (closed) and FTP (open, but with anon ftp disabled). I
run portsentry on all of my machines, which seems to help a lot - It
automatically adds systems to hosts.deny. inetd.conf is pretty much
clean, except for ftp.
I admit, I still run sendmail. I've never learned much about postfix.
Usually an individual makes a pass at my systems and then moves on, but
recently this one individual has stuck around. They've tried everything
that I can think of to get in.
For that matter, (I know this has been discussed before) is there an
obvious way to tell if they have succeeded? 'ls' and other commands
still seem intact.
Thanks,
Mark (dobbster at dobbster.com)
More information about the NCLUG
mailing list