[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] eggdrop and monitoring

Subject: Re: [cobalt-security] eggdrop and monitoring
From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
Date: Thu, 17 Apr 2003 00:56:02 +0200
Organization: SOLARSPEED.NET
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> Hello, some users are running eggdrops, just found this out.
> is there a way to block this port

This is what I'd do - not necessarily in that order. ;o)

a) Set up a webhosting policy that prohibits usage of IRC related services off 
your server. Inform your customers about it and give 'em a grace period to 
disable the offending stuff by themselves. 

b) Setup an IPtables or IPchains rule which prevents incomming and outgoing 
connections to port 6667. Set it up to log events and monitor your kernel 
logfile for trafic to those ports. The smarter guys might use different 
ports, but in the end IRC usually runs on 6667. If you block incomming and 
outgoing connections to and from port 6667 then you ought to catch most 
offenders.

c) Run the following commands as root:

chmod 700 /usr/bin/gcc
chmod 700 /usr/bin/cc

That will deny the compiler to all users but root. Eggdrop is usually compiled 
on the server itself by users with shell access. Without working compiler you 
limit the potential mischief that a non-root user can do.

d) Disable shell access to all users except for a few trusted persons that 
have proven their need for that kind of access. Without shell access nobody 
can install stuff like eggdrop without jumping through a couple of loops.

e) Search in the /home/sites directory and user directories for executable 
files, examine 'em and if it looks fishy then you might want to chown the 
file to be owned by root and put a chmod 600 on it so that nobody can execute 
'em anymore. If it was important to the customer, then they'll sure give you 
a call and you can then take it from there.

> or to monitor the traffic this generates, so i can charge the use of this

It'll be tricky to monitor bandwith generated by IRC traffic. But it will be 
next to impossible to then find out which user generated how much IRC traffic 
- if more than one user is generating that kind of traffic. 

-- 

With best regards,

Michael Stauber

Follow-Ups:
- Re: [cobalt-security] eggdrop and monitoring
  - From: Dave~
- Re: [cobalt-security] eggdrop and monitoring
  - From: E.B. Dreger

References:
- [cobalt-security] eggdrop and monitoring
  - From: Tik & Klik Internetdiensten

Prev by Date: RE: [cobalt-security] eggdrop and monitoring
Next by Date: Re: [cobalt-security] eggdrop and monitoring
Previous by thread: RE: [cobalt-security] eggdrop and monitoring
Next by thread: Re: [cobalt-security] eggdrop and monitoring

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index