[K12OSN] Help - possible hacking of our NFS/NIS LTSP server

David Trask dtrask at vcs.u52.k12.me.us
Wed Mar 23 15:28:44 UTC 2005


"Support list for opensource software in schools." <k12osn at redhat.com> on
Tuesday, March 22, 2005 at 5:58 PM +0000 wrote:
>well it looks like someone compromised our NFS/NIS server.
>
>Someone has reported to UNET that our server was trying this ssh login
>brute force attack.  What is odd the report was on March 19 and the UNET
>folks looked today and didn't see anything.
>
>What can I do to look for this script or hack?  How do I make sure it
>doesn't happen, if it happens again, they filter out that server and our
>entire LTSP system relies on that  machine.  
>
>I did find a test account logged in under odd circumstances, so I killed
>the processes and deleted the test account.  But I worry about what damage
>may be done.
>
>thanks for any advice
>Shane

Shane....where's your firewall in all this?  I sincerely hope that you
don't have your LTSP server connected directly to the internet.  Just to
let you know what I do....I have an SME server as my
gateway/filter/firewall.  (www.contribs.org)  (IPCop is also a good one) 
Then...everything else is behind that.  This makes me much less vulnerable
to attack.  SME server uses a template approach to modifying files....for
example....on a typical RedHat box (Fedora)...I can edit smb.conf....then
restart samba and the changes are there.  In SME I cannot do that....if I
edit smb.conf....the changes won't stick....they only stick if I edit the
proper template fragment and expand it.  It's very hard to do any
permanent damage.  Not only that I have installed rkhunter which keeps a
look out for "root kits".  I access my other boxes that are behind the SME
firewall using port-forwarding....if I use a non-standard port and forward
accordingly to another machine on the inside...for the most part a port
scanner simply gets lost or at least very difficult to find.  Not only
that....the hackers can attack the firewall, but may find it next to
impossible to attack anything behind it.

David N. Trask
Technology Teacher/Coordinator
Vassalboro Community School
dtrask at vcs.u52.k12.me.us
(207)923-3100




More information about the K12OSN mailing list