Re: [tlug] How to handle a hacker<wink> [was: Arcane command-line]

["Stephen J. Turnbull" <stephen@example.com>]

>>>>> "A" == A Sajjad Zaidi <A.Sajjad> writes:

    A> How convenient.  I had to run to the data center many miles
    A> away. :-(

My condolences.  It was moderately surprising the first time it
happened to me (it was a typo, not intentional), but this time I knew
what I was doing; the cost was negligible compared to the need.

    A> Since then, while Im configuring ipchains/tables, I setup a
    A> cronjob to clear the rules every few minutes in case I make a
    A> mistake, but that wouldnt be good in case of a *cracker*.

Yeah, but I wouldn't worry about it.  You can probably get back in and
set up some protection faster than he can figure out what happened
(although he might be automated).  Breaking the connection is probably
enough to scare him away, especially if he realizes he's been
recognized as a cracker.

Here's an alternative approach:

function ipchains-clear () {
  ipchains -P input DENY;
  ipchains -F input;
  # er, untested.  Make sure this isn't a syntax error!
  ipchains -A input -s admin.your.domain --dport 22 -j ACCEPT;
}

ipchains-clear
# work
# work
# work
# and if you don't want admin.your.domain recognized from ipchains -L
# (boy, that's a Chris-tian level of paranoia!)
ipchains -D input 1


-- 
Institute of Policy and Planning Sciences     http://turnbull.sk.tsukuba.ac.jp
University of Tsukuba                    Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
              Don't ask how you can "do" free software business;
              ask what your business can "do for" free software.