Responding to Breakin Attempts

Paul Robinson paul at iconoplex.co.uk
Tue Jun 15 14:29:24 GMT 2004 

On Mon, Jun 14, 2004 at 03:25:42PM -0400, Greg Pavelcak wrote:

> The subject almost covers the question.  Our system logs breakin
> attempts.  Sometimes we get a flurry of attempts, perhaps just some
> sort of script that sends logins and passwords around, and I'd like to
> be able to respond in self-defense in some sort of productive way.

But in general, you need to write up a security policy based on best 
industry practise and implement it. What policies do you already have in 
place. VMS boxes tend to be the worst - people assume it's the most secure 
OS in the world and don't put the basics in place. I used to be tech 
director of a firm that shortly after I left announced exploits in the TCP 
stack we fixed in Unixland something close to 10 years ago. They only 
released a couple, but I know the guy who was working on it reckoned he had 
a few dozen lined up to release. He might still do so.
 
> How can I respond to such attempts to access the system here?

You have several choices:

1. Log all data securely and attempt to lock down the system, perhaps 
collecting evidence with view to a prosecution if you feel it necessary.

2. Bring in external security services to help you lock down and collect 
evidence.

If you're seeing attempted breakins, chances are, you haven't been broken 
into yet. Consider what connections that box has to the outside world, and 
ask whether it needs them. Why are ports available to that user to be able 
to even attempt logins? Where is the firewall? Why aren't you filtering 
traffic? Etc...
 
> Any good beginner security reading out there?

Well, where to start.... I'll assume you want to get to grips with the 
concepts rather than a list of commands to type in to tighten things down, 
especially as you're asking us.

NIST publishes this:

http://csrc.nist.gov/publications/nistpubs/800-12/

O'Reilly publishes this:

http://www.oreilly.com/catalog/csb/

This is considered the bible for unix guys:

http://www.oreilly.com/catalog/puis3/

There are thousands of books out there on IT security. If you feel there is 
a real threat, you may need to bring in help due to time constraints and the 
fact that you just don't have the time or experience to counter a current 
threat. In which case there are plenty of security consultancies out there. 
If you want a guy who specialises in VMS boxes I can find one for you, but 
it won't be cheap. $1500/day is considered cheap.

-- 
Paul Robinson
http://www.iconoplex.co.uk/
	"I'm not conceited. It's just that I have a fondness for the good 
	things in life, and I happen to be one of them." - Kenneth Williams

More information about the freebsd-chat mailing list