[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] eggdrop and monitoring
- Subject: Re: [cobalt-security] eggdrop and monitoring
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Thu, 17 Apr 2003 00:56:02 +0200
- Organization: SOLARSPEED.NET
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> Hello, some users are running eggdrops, just found this out.
> is there a way to block this port
This is what I'd do - not necessarily in that order. ;o)
a) Set up a webhosting policy that prohibits usage of IRC related services off
your server. Inform your customers about it and give 'em a grace period to
disable the offending stuff by themselves.
b) Setup an IPtables or IPchains rule which prevents incomming and outgoing
connections to port 6667. Set it up to log events and monitor your kernel
logfile for trafic to those ports. The smarter guys might use different
ports, but in the end IRC usually runs on 6667. If you block incomming and
outgoing connections to and from port 6667 then you ought to catch most
offenders.
c) Run the following commands as root:
chmod 700 /usr/bin/gcc
chmod 700 /usr/bin/cc
That will deny the compiler to all users but root. Eggdrop is usually compiled
on the server itself by users with shell access. Without working compiler you
limit the potential mischief that a non-root user can do.
d) Disable shell access to all users except for a few trusted persons that
have proven their need for that kind of access. Without shell access nobody
can install stuff like eggdrop without jumping through a couple of loops.
e) Search in the /home/sites directory and user directories for executable
files, examine 'em and if it looks fishy then you might want to chown the
file to be owned by root and put a chmod 600 on it so that nobody can execute
'em anymore. If it was important to the customer, then they'll sure give you
a call and you can then take it from there.
> or to monitor the traffic this generates, so i can charge the use of this
It'll be tricky to monitor bandwith generated by IRC traffic. But it will be
next to impossible to then find out which user generated how much IRC traffic
- if more than one user is generating that kind of traffic.
--
With best regards,
Michael Stauber