step 1: Change the root password step 2: Remove all those "holy" services step 3: Install SSH step 4: Firewall the machine so that it only accepts SMTP traffic from the outside world and SSH traffic from a couple of specific addresses step 5: Use a tool like tripwire to make a snapshot, wait a week, rerun it again and see if anything changes. just some ideas... Tim. -----Original Message----- From: Marc Hughes [mailto:hughesm@tomsnyder.com] Sent: Friday, October 05, 2001 1:08 PM To: wlug@wlug.org Subject: [Wlug] Vunerable Machine Picture This: You're sitting at your desk on a warm friday morning. You get a call from the webmaster about a linux box, so you head over to help him out. The webmaster is a bright guy, but a microsoft guy. Very little linux experience at all, in fact the box was set up for him by someone no longer in the company. After figuring out what this box does (acts as a sendmail SMTP & pop3 server for bulk newletters... [not spam] ) you realize it has easily guessable passwords, is outside the firewall, and is running at least one vunerable service (an old POP2 daemon) and some questionable services (sun RPC and appletalk). To top it all off... this box is an old powerPC... My question: What should I do to make sure it hasn't been already cracked? Other Problems: I don't have to time to do a reinstall and set it up correctly anytime soon (maybe in a week I could). It needs to continue working like it has for at least another week (we just sent out a newsletter, and it processes remove requests that trickle in) To free up disk space, the logs were regularly deleted... no current logs exist. It's not my box, so I need to be sensitive of the office politics so no one says something like, "Well, since we can't secure linux, NO MORE LINUX" -Marc _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug