-
June 4th, 2002, 04:31 AM
#1
Junior Member
Using a Linux Firewall box to run a Webserver? (bad?)
I've been using a rather old computer as a Gateway/Firewall for my LAN. Currently it's running RH7.2 (formatting and installing 7.3 soon) The box is only used for Masqurading, Firewall rules (ipchains), and as a Webserver.
I have three ports open on the box.
1. -- Apache (not on 80)
2. --SSH (not on 22)
3. --MySQL (default port)
My question is simply
Is it ok to use my firewall box as my webserver?
It's recently been comprimised. (Last time i ssh'ed to it it said the last login was from 1969, and tripwire indicated a few critical files had been modified)
There is no noticable damage, and the only data on the entire box that i care about is the web site, and the config files for some of the larger apps (all are backed up)
I have another box doing nothing, would it be safer to run a webserver off a box behind the firewall? I thought that would be pointless seeing how id have to open ports on that machine to the public anyway....
-
June 4th, 2002, 04:33 AM
#2
Junior Member
btw...
Im guessing someone broke in using some sort of exploit either dealing with PHP, SSH, APACHE, or MYSQL. Since im formatting and no noticable damage was done im not even interested in finding out if there are any backdoors. Im gona formatt the box, slap on RH7.3 with updated versions of the apps i mentioned above...
-
June 4th, 2002, 04:43 AM
#3
format and start over is the only thing to do.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
June 4th, 2002, 04:48 AM
#4
Formatting and reinstalling is the only real way to ensure that no one put any backdoors on your system.
Its not software piracy. I’m just making multiple off site backups.
-
June 4th, 2002, 04:49 AM
#5
You should use your second machine as a NAT/firewall. It does make a difference.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
-
June 4th, 2002, 08:45 AM
#6
Before you format your disk, it's really worth investigating how they got in. I'm guessing they used a MySQL exploit or a dodgy CGI/PHP script to get in. What's the point of reformating if you don't know how they got in. They can just do the same thing all over again. If you don't show that you've detected the intruder, they might come calling again and this time you'll be prepared, won't you .
OpenBSD - The proactively secure operating system.
-
June 5th, 2002, 06:14 AM
#7
Junior Member
smirc -- i only use linux for routing and serving purposes...
of course i would like it to be secure, but im still very new to the OS...
I installed tripwire a while back and the following files have been updated:
"/var/log/ksyms.1"
"/var/log/ksyms.0" -- these 2 were added
"/var/lock/subsys/syslog"
"/var/run/klogd.pid"
"/etc/sysconfig/hwconf" -- these were all edited, i read through them, didn't see anything blatant
"/etc/rc.d/rc.local" --this i edited
"/dev/log"
"/root"
"/root/.mysql_history" -- /dev/log and /root/.mysql_history modified
There is no damage done (notciable) and ssh tells me the last user to login in was from 1969, then leaves the IP blank. (I ssh'ed disconnected and connected again,
-
June 5th, 2002, 06:16 AM
#8
Junior Member
and when i connected again, still left the IP blank and said it was from 1969. As i said before, im formatting and reinstalling RH7.3 w/ updated software.
If anyone has any suggestions as to what the intruder might have done id like to hear...
-
June 5th, 2002, 06:17 AM
#9
Junior Member
Also, logwatch informs me of the IPs that make ssh connections. The only connections i see are connections i make...
-
June 8th, 2002, 10:12 PM
#10
"/var/log/ksyms.1"
"/var/log/ksyms.0" -- these 2 were added
These are the kernel symbol files. I don't really know how to use them, but they're created normally by the kernel, so I don't think there should be a problem.
"/var/lock/subsys/syslog"
"/var/run/klogd.pid"
It looks like the syslog service was restarted.
"/etc/sysconfig/hwconf" -- these were all edited, i read through them, didn't see anything blatant
This file controls hard drive options and things like that. If you run hdparm, I think it can modify this file. I don't think there are any settings in there that would be security related though.
"/etc/rc.d/rc.local" --this i edited
Even though you edited this file, go ahead and look through it just in case.
I'm not familiar with this one. Sorry.
"/root"
"/root/.mysql_history" -- /dev/log and /root/.mysql_history modified
This is probably not a problem. Tripwire flags any changes of any files in root unless they're specifically ignored. That's why you need to tweak the tripwire settings very carefully in the root directory.
Have you recently removed wtmp or utmp files? Removing these files could cause your computer to say that the last time you logged in was in 1969. The reason is that linux keeps track of time by calculating time since "the beginning of time," which was January 1, 1970 (don't ask). So therefore, if your wtmp and/or utmp files got deleted, then it knows that you obviously haven't logged in since 1970, so you must have last logged in in 1969.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|