Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Andreas Hallmann <hallmann@ahatec.de>
From: Thilo Jeremias <jeremias@optushome.com.au>
List: tech-pkg
Date: 01/17/2007 22:22:57
Andreas Hallmann wrote:
> Hi,
> once in this situation I put me compromised machine in an isolated 
> subnet, firewalled to only allow the functionality it was set up for. 
> If you are under pressure, this is a way to save time without feeling 
> to much uncomfortable. But this requires no data of private nature on 
> this machine.
> Hmm cyrus account you said? Ok, think a mail server contains private 
> data. Moreover it's likely someone used a password there used 
> elsewhere. I would alert my users and force them to change passwords.
>
> You can secure thinks by putting it into a subnet, no WAN access is 
> allowed for.
> Since this box might be compromised, it should be isolated in a 
> separate network.
> No sniffing can get something useful and any other attempt will bang 
> against a firewall.
> You can set up a mail server, feeding it with LMTP. Moreover this is 
> your outgoing MTA.
>
>
> Now you can restrict this network accept incomming LMTP transports and 
> answer incomming IMAP-requests. You can disallow traffic started from 
> your imap server. So this machine can't do any harm any more.
>
> But still HE had some time to do something nasty, like fishing for 
> passwords. And therefore keep an eye on all of your machines.
>
> For your enjoyment: If you like to know him better ... put him in a 
> chroot-jail and watch him trying.
I always wanted to put him into an eliza(doctor) like shell, (instead of 
ssh-login), and watch em answering silly questions :-)
-- never got around doing so though.

thilo
> A shell logging each command can be informative.
>
> cheers AHA