Server hacked, Desperate for help with FC6

David Kramer david at thekramers.net
Sat Nov 25 15:24:10 EST 2006 

Ron Senykoff wrote:
>> > - First and foremost, I have my server set up in the standard 
>> dual-nic setup with one going to the DSL modem and the other one going 
>> to my intranet.  YaST knew how to do this, and it was very easy to set 
>> up.  The firewall tool under FC6 has just a few options, and no 
>> concept of zones.  How do I set that up so I can masquerade NAT to eth1?
> 
> Is this a server or a firewall? Since it is connected directly to your
> cable modem... you really need a true stateful firewall in front of it
> or you're most likely going to get hacked again. I would never
> recommend a server be doing this dual purpose kind of functionality.
> Instead, I would recommend something like smoothwall (on an old PC) in
> front of it, which would allow you to create a DMZ and LAN, then put
> the server in the DMZ (which will still be accessible from the LAN).

For heat, noise, and power reasons, I can't justify running more than 
one computer 24/7.  Nor would it have mattered for this attack, since it 
was on a web application running on a standard port.

I do have a WRT54G which I use for wireless, and toyed with the idea of 
putting that in front of my server as a first line of defense, but I 
don't know that I trust the Linksys more than I trust iptables.  And the 
ONLY kind of attack it's any good at protecting against is if you have 
an open port with a service listening to it that you don't know about. 
It can never prevent an attack on your server that exploits software 
listening to a port you have intentionally open.

This is my second hack-in in about 7-8 years, which ain't too bad for a 
non-SysAdmin (though I play one at work on occasion).  Both attacks were 
on exploits of software.  The first one was when I set up my very first 
internet-facing server, and had no idea what I was doing.  I was hacked 
into after only five weeks.  Then I learned how to do it right, and had 
a perfect record up to now.  This hack was also my fault, because I set 
up internet-facing software without fully configuring it, then abandoned 
it.  Not doing that will fix this kind of attack.  A firewall in front 
of the server can't.

Am I wrong?

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Discuss mailing list