Need urgent help regarding security

[Steve Bertrand]

[...]

> > You can easily rebuild a new kernel with:
> > 
> > options IPFIREWALL
> > options IPFIREWALL_VERBOSE
> > options IPFIREWALL_VERBOSE_LIMIT_1000
> > 
> > Then create a script blocking ALL ports exept those what you need.
> > Especially only allowing SSH access to the box from limited 
> IP's. If 
> > you need help, just ask.
> 
> Thanks for the suggestion. I personally have no experience 
> with IPFW (I have played with IPF a little bit on a test box 
> here) so I will have to think on that a little. I am guessing 
> you suggest IPFW as opposed to IPF correct? I read up on IPFW 
> and IPF in the handbook when I was experimenting with 
> firewalls and the rule syntax and things seemed more logical 
> to me with IPF, but I did not look that far in depth.

I only recommend IPFW because that is what I am familiar with. I don't
want to start a flame war, as I've been told by others that IPF is just
as good. If you are experienced with IPF and understand the syntax of
it's rules, by all means, go for it.

> 
> My servers are also remote so I would have to make sure I 
> didn't firewall myself out when enabling any firewall. ;)

Yes, that is always a concern. I've been there/done that before on more
than one occasion. There are scripts that can 'reset' to a previous
config if this does happen though (I learned the hard way ;)

> > Have you checked your daily cron outputs lately? What do they say?
> 
> All I see is legit cronjobs from a billing system that I run 
> and some from cPanel such as cpumonitor and backups.

Sorry, I meant the security run outputs that get sent at around 0300
every day.

Steve