RE: [Nolug] SSH Key Question

From: Dustin Puryear <dpuryear_at_usa.net>
Date: Thu, 28 Aug 2003 11:44:55 -0500
Message-Id: <5.2.1.1.0.20030828114251.02a9ce68@pop.netaddress.com>

Here is what I do.

1. Install new system.
2. Bring up firewall completely.
3. Plug into network.
4. Run up2date.
5. Bring down and uninstall all unnecessary applications and services.
6. Setup log checking.
7. Setup AIDE or Tripwire.
8. Reduce firewall level to what is needed.

You are done.

At 11:35 AM 8/28/2003 -0500, you wrote:

>It's up to date with the latest from RH.
>I think the plan is build another box and migrate the functions to the new
>box. Before I connect it to the network I'll have TW or something else
>running so I can watch it a little more closely this time. It's just a lot
>of work I didn't want to do right now. Maybe next week :)
>
>-----Original Message-----
>From: Scott Harney [mailto:scotth@scottharney.com]
>Sent: Thursday, August 28, 2003 11:12 AM
>To: nolug@joeykelly.net
>Subject: Re: [Nolug] SSH Key Question
>
>"Wimprine, Thomas" <twimprine@stei.com> writes:
>
>oh. and tw won't do you any good if you're already hacked. Don't trust
>chkrootkit. check your sendmail version and redhat's security alerts
>and make sure you haven't been running any known exposed vulnerabilies.
>
>
> > This is the only 'suspicious' thing it found. A lot looks like what I just
> > installed for graphdefang.
> >
> > I think I'm going to spend the rest of the day intalling and configureing
> > tripwire. FUN FUN FUN!!!
> >
> >
> > Searching for suspicious files and dirs, it may take a while...
> > /usr/lib/perl5/5.8.0/i386-linux-thread-multi/.packlist
> > /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/Digest/MD5/.packlist
> > /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/File/Spec/.packlist
> > /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/Storable/.packlist
> > /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/Time/HiRes/.packlist
> > /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/CPAN/.packlist
> > /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/Net/.packlist
> > /usr/lib/perl5/5.8.0/i386-linux-thread-multi/auto/DB_File/.packlist
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/IO-stringy/.pack
> > list
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/MIME/Base64/.pac
> > klist
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/MIME/Lite/.packl
> > ist
> > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Mail/.packlist
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Mail/Audit/.pack
> > list
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Mail/SpamAssassi
> > n/.packlist
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/MIME-tools/.pack
> > list
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Digest/SHA1/.pac
> > klist
> > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Net/.packlist
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Net/Telnet/.pack
> > list
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/HTML/Tagset/.pac
> > klist
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/HTML/Parser/.pac
> > klist
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/razor-agents-sdk
> > /.packlist
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/razor-agents/.pa
> > cklist
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Archive/Tar/.pac
> > klist
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Term/ReadKey/.pa
> > cklist
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Term/ReadLine/.p
> > acklist
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/Unix/Syslog/.pac
> > klist
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/File/ReadBackwar
> > ds/.packlist
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/CPAN/WAIT/.packl
> > ist
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/TimeDate/.packli
> > st
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/MLDBM/.packlist
> > /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/GD/.packlist
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/GD/Text/.packlis
> > t
> >
>/usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/GD/Graph/.packli
> > st /usr/lib/qt-3.0.5/etc/settings/.qtrc.lock
> > /usr/lib/qt-3.0.5/etc/settings/.qt_plugins_3.0rc.lock
> > /usr/lib/qt-3.0.5/etc/settings/.kstylerc.lock
> > /usr/lib/openoffice/share/gnome/net/.directory
> > /usr/lib/openoffice/share/gnome/net/.order
> > /usr/lib/openoffice/share/kde/net/applnk/OpenOffice.org/.directory
> > /usr/lib/openoffice/share/kde/net/applnk/OpenOffice.org/.order
> >
> > -----Original Message-----
> > From: Wimprine, Thomas [mailto:twimprine@stei.com]
> > Sent: Thursday, August 28, 2003 10:20 AM
> > To: 'nolug@joeykelly.net'
> > Subject: RE: [Nolug] SSH Key Question
> >
> > Sendmail with mimedefang, spamassassin, and AV. Then it relays it to my
> > exchange box.
> >
> > I'm downloading the kit right now
> >
> > -----Original Message-----
> > From: Scott Harney [mailto:scotth@scottharney.com]
> > Sent: Thursday, August 28, 2003 10:16 AM
> > To: nolug@joeykelly.net
> > Subject: Re: [Nolug] SSH Key Question
> >
> > "Wimprine, Thomas" <twimprine@stei.com> writes:
> >
> >> Both systems are at work and the one I'm trying to get to is my email
> >> gateway. It's a RH8 box but I havn't performed any updates recently. It's
> >> behind the corp firewall and the only thing open to the outside is port
> > 25.
> >> The system I'm sshing (is that really a verb?) from is a W2K box running
> >> putty.
> >> It's the system key also not my user keys. I'm getting the message before
> > I
> >> login to the system.
> >
> > hmm. you might want to try chkrootkit as joey recommended. What smtp
> > software version are you running on port 25?
> >
> >
> > --
> > Scott Harney<scotth@scottharney.com>
> > "...and one script to rule them all."
> > gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5
> > ___________________
> > Nolug mailing list
> > nolug@nolug.org
> > ___________________
> > Nolug mailing list
> > nolug@nolug.org
> > ___________________
> > Nolug mailing list
> > nolug@nolug.org
> >
>
>--
>Scott Harney<scotth@scottharney.com>
>"...and one script to rule them all."
>gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5
>___________________
>Nolug mailing list
>nolug@nolug.org
>___________________
>Nolug mailing list
>nolug@nolug.org

---
Dustin Puryear <dustin@puryear-it.com>
Puryear Information Technology, LLC <http://www.puryear-it.com>
Providing expertise in the management, integration, and
security of Windows and UNIX systems, networks, and applications.
___________________
Nolug mailing list
nolug@nolug.org
Received on 08/28/03

This archive was generated by hypermail 2.2.0 : 12/19/08 EST