bad day (summary)

To: TCLUG <tclug-list@mn-linux.org>
Subject: bad day (summary)
From: Timothy Wilson <wilson@visi.com>
Date: Tue, 25 Jan 2000 12:23:27 -0600 (CST)

Hi everyone,

First off, thanks to everyone who offered suggestions yesterday. I
appreciate the effort and good ideas. Luckily, it was our end-of-quarter
day so there weren't any students in the building, and I could give the
issue nearly my full attention. Unfortunately, it was also the day I had
been planning to finish all of my grading. That didn't get done which will
make for a couple late nights at home.

As far as the server goes, it's still down. I haven't touched it because I
wanted to see if we had a spare HD around that I could use to bring it
back online and keep the "violated" one around for potential evidence. We
don't have any spares so I'll probably just reformat completely and start
over. A concentrated effort to figure out who cracked the box probably
isn't the most productive use of my time right now anyway.

As far as redesigning my LAN goes, I've decided to move the http and ftp
to a box outside the firewall as was suggested. I already have a Linux box
out there doing the Web page for the school district so I would merely
have it do my science dept. page as well. No big deal. I probably would
have done that from the beginning, but the Linux box outside the
firewall wasn't around when I put my network together originally.

I'll keep all file serving, NFS, DHCP, etc. on the inside of the firewall
blocked off from outside traffic. We're going to block all access to the
machine except for port 22 so I can ssh in and restrict access to everyone
except my ISP's class C. That should tighten it up considerably.

I was running a couple listservs on my internal server before it was
compromised. Would it be possible (or wise) to do that again (with
whatever modifications to the firewall that would be necessary) or should
I run them from the external box? I'll probably switch to postfix for my
MTA, but that won't affect Mailman (my listserv software).

If it's OK to run the listservs from inside, does anyone have any hints or
making sure it's secure?

All in all, I'd have to say that it was a valuable learning experience.
The fact that I have a pretty recent backup means that my colleagues and I
lost very little data. I do need to implement a more regular incremental
and full system backup regimen.

If we are going to do a security-focused TCLUG meeting. I'd be happy to do
a more thorough summary of my experiences for the benefit of other
inexperienced admins out there.

Later,
Tim

--
Tim Wilson        | Visit Sibley online:         | Check out:
Henry Sibley H.S. | http://www.isd197.k12.mn.us/ | http://www.zope.org/
W. St. Paul, MN   |                              | http://slashdot.org/
wilson@visi.com   |   <dtml-var pithy_quote>     | http://linux.com/

Follow-Ups:
- Re: [TCLUG:12882] bad day (summary)
  - From: Scott <pope@ossuary.net>
- Re: [TCLUG:12882] bad day (summary)
  - From: ^chewie <chewie@wookimus.net>

Prev by Date: [chewie@wookimus.net: Interface Envy]
Next by Date: Re: [TCLUG:12831] Issues raised today
Prev by thread: Re: [TCLUG:12881] [chewie@wookimus.net: Interface Envy]
Next by thread: Re: [TCLUG:12882] bad day (summary)
Index(es):
- Date
- Thread