Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Andreas Hallmann <firstname.lastname@example.org>
From: Thilo Jeremias <email@example.com>
Date: 01/17/2007 22:22:57
Andreas Hallmann wrote:
> once in this situation I put me compromised machine in an isolated
> subnet, firewalled to only allow the functionality it was set up for.
> If you are under pressure, this is a way to save time without feeling
> to much uncomfortable. But this requires no data of private nature on
> this machine.
> Hmm cyrus account you said? Ok, think a mail server contains private
> data. Moreover it's likely someone used a password there used
> elsewhere. I would alert my users and force them to change passwords.
> You can secure thinks by putting it into a subnet, no WAN access is
> allowed for.
> Since this box might be compromised, it should be isolated in a
> separate network.
> No sniffing can get something useful and any other attempt will bang
> against a firewall.
> You can set up a mail server, feeding it with LMTP. Moreover this is
> your outgoing MTA.
> Now you can restrict this network accept incomming LMTP transports and
> answer incomming IMAP-requests. You can disallow traffic started from
> your imap server. So this machine can't do any harm any more.
> But still HE had some time to do something nasty, like fishing for
> passwords. And therefore keep an eye on all of your machines.
> For your enjoyment: If you like to know him better ... put him in a
> chroot-jail and watch him trying.
I always wanted to put him into an eliza(doctor) like shell, (instead of
ssh-login), and watch em answering silly questions :-)
-- never got around doing so though.
> A shell logging each command can be informative.
> cheers AHA