Re: [cobalt-security] PortSentry/Active System Attacks

[Bill Irwin <bill_irwin@xxxxxxxx>]

Chris Burton wrote:
> 
> Hi,
> If it was one of your customers then a reinstall do anything to help, try
> and find out if it was a customer that did it. If you dont have customers
> (or other users) then look at the state of the RAQ has it been compromised
> or not ?
> 
> ChrisB.
> 

Actually a better idea is to find out who did the scan. If you really
want to be the strict admin, run a locate for various scripts that users
may use in linux to run port scans. A good way to find out what those
scripts may be is to visit www.antionline.com or www.securityfocus.com
and make a list of the commonly used scripts for port scanning. Run
"locate <scriptname>" and see if it lists anything. If you get a hit,
make a note of the users acct. You can then go into their .bash_history
file and find out if they did run commands for port scans. 
then:

1) warn them they are in violation of Terms Of Service (you did make a
TOS for your customers didn't you?).
2) if they don't listen or initiate another scan with a 24 to 72 hour
period, dump them as they are a big liability to your company and not
worth the potential trouble no matter how much they may be paying.
3) review whether your customers need access to telnet or ssh, if no,
then cut off all access.

This may seem like a heavy handed approach by some people. However, when
you look at the liability implications and possible trouble that may be
caused by this person, it doesn't seem all that bad.

<This opinions are strictly my own and do not constitute the opinions or
positions of my employer>

-- 
Bill Irwin
Technical Support Engineer
Sun Microsystems, Inc.