Using a Linux Firewall box to run a Webserver? (bad?)
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Using a Linux Firewall box to run a Webserver? (bad?)

  1. #1
    Junior Member
    Join Date
    Jun 2002
    Posts
    8

    Using a Linux Firewall box to run a Webserver? (bad?)

    I've been using a rather old computer as a Gateway/Firewall for my LAN. Currently it's running RH7.2 (formatting and installing 7.3 soon) The box is only used for Masqurading, Firewall rules (ipchains), and as a Webserver.

    I have three ports open on the box.
    1. -- Apache (not on 80)
    2. --SSH (not on 22)
    3. --MySQL (default port)

    My question is simply
    Is it ok to use my firewall box as my webserver?

    It's recently been comprimised. (Last time i ssh'ed to it it said the last login was from 1969, and tripwire indicated a few critical files had been modified)

    There is no noticable damage, and the only data on the entire box that i care about is the web site, and the config files for some of the larger apps (all are backed up)

    I have another box doing nothing, would it be safer to run a webserver off a box behind the firewall? I thought that would be pointless seeing how id have to open ports on that machine to the public anyway....

  2. #2
    Junior Member
    Join Date
    Jun 2002
    Posts
    8
    btw...
    Im guessing someone broke in using some sort of exploit either dealing with PHP, SSH, APACHE, or MYSQL. Since im formatting and no noticable damage was done im not even interested in finding out if there are any backdoors. Im gona formatt the box, slap on RH7.3 with updated versions of the apps i mentioned above...

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    format and start over is the only thing to do.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  4. #4
    Senior Member cwk9's Avatar
    Join Date
    Feb 2002
    Posts
    1,211
    Formatting and reinstalling is the only real way to ensure that no one put any backdoors on your system.
    Its not software piracy. I’m just making multiple off site backups.

  5. #5
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    You should use your second machine as a NAT/firewall. It does make a difference.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  6. #6
    Senior Member
    Join Date
    Oct 2001
    Posts
    638
    Before you format your disk, it's really worth investigating how they got in. I'm guessing they used a MySQL exploit or a dodgy CGI/PHP script to get in. What's the point of reformating if you don't know how they got in. They can just do the same thing all over again. If you don't show that you've detected the intruder, they might come calling again and this time you'll be prepared, won't you .
    OpenBSD - The proactively secure operating system.

  7. #7
    Junior Member
    Join Date
    Jun 2002
    Posts
    8
    smirc -- i only use linux for routing and serving purposes...
    of course i would like it to be secure, but im still very new to the OS...
    I installed tripwire a while back and the following files have been updated:

    "/var/log/ksyms.1"
    "/var/log/ksyms.0" -- these 2 were added

    "/var/lock/subsys/syslog"
    "/var/run/klogd.pid"
    "/etc/sysconfig/hwconf" -- these were all edited, i read through them, didn't see anything blatant

    "/etc/rc.d/rc.local" --this i edited

    "/dev/log"
    "/root"
    "/root/.mysql_history" -- /dev/log and /root/.mysql_history modified


    There is no damage done (notciable) and ssh tells me the last user to login in was from 1969, then leaves the IP blank. (I ssh'ed disconnected and connected again,

  8. #8
    Junior Member
    Join Date
    Jun 2002
    Posts
    8
    and when i connected again, still left the IP blank and said it was from 1969. As i said before, im formatting and reinstalling RH7.3 w/ updated software.

    If anyone has any suggestions as to what the intruder might have done id like to hear...

  9. #9
    Junior Member
    Join Date
    Jun 2002
    Posts
    8
    Also, logwatch informs me of the IPs that make ssh connections. The only connections i see are connections i make...

  10. #10
    Senior Member
    Join Date
    Mar 2002
    Posts
    425
    "/var/log/ksyms.1"
    "/var/log/ksyms.0" -- these 2 were added
    These are the kernel symbol files. I don't really know how to use them, but they're created normally by the kernel, so I don't think there should be a problem.

    "/var/lock/subsys/syslog"
    "/var/run/klogd.pid"
    It looks like the syslog service was restarted.

    "/etc/sysconfig/hwconf" -- these were all edited, i read through them, didn't see anything blatant
    This file controls hard drive options and things like that. If you run hdparm, I think it can modify this file. I don't think there are any settings in there that would be security related though.

    "/etc/rc.d/rc.local" --this i edited
    Even though you edited this file, go ahead and look through it just in case.

    "/dev/log"
    I'm not familiar with this one. Sorry.

    "/root"
    "/root/.mysql_history" -- /dev/log and /root/.mysql_history modified
    This is probably not a problem. Tripwire flags any changes of any files in root unless they're specifically ignored. That's why you need to tweak the tripwire settings very carefully in the root directory.


    Have you recently removed wtmp or utmp files? Removing these files could cause your computer to say that the last time you logged in was in 1969. The reason is that linux keeps track of time by calculating time since "the beginning of time," which was January 1, 1970 (don't ask). So therefore, if your wtmp and/or utmp files got deleted, then it knows that you obviously haven't logged in since 1970, so you must have last logged in in 1969.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •