Don't get hacked off; take steps to keep your net safe from intruders

The best defense against troublemakers is a good offense. If you manage Internet
services for a government site, now's the time to go on the offensive against hackers and
e-mail spammers.


To guard against hackers, pay special attention to any server connected to your LAN,
WAN or Internet service provider if it happens to be run by a contractor or other outside
party. In October, the SANS Institute of Bethesda, Md., found out that third-party
machines can be a weak link in supposedly secure networks.


GCN readers who subscribe to the SANS Network Security Digest may have received bogus
copies of the October digest, which contained foul language and pornographic attachments.


In a November follow-up report, SANS officials traced the hack to their Internet
service provider, Clark Internet Services at clark.net.
Apparently a Clark customer maintained a server running an old operating system without
any patches for known security holes.


The SANS report said a hacker gained access to that customer's server and ran a
password sniffer over the internal Clark network to capture passwords, one of which opened
the SANS account.


SANS had stored a partial list of its digest subscribers on a Clark server. The hacker
mailed the bogus digest to that list and deleted log files to cover his or her tracks.


SANS officials said they have learned the following lessons:


For information on SSH, visit the SSH World Wide Web site at http://www.cs.hut.fi/ssh/. You can download
a free Unix version via File Transfer Protocol from ftp://ftp.cs.hut.fi/pub/ssh/.
A short report on the hacking incident appears at http://www.sans.org/hack.htm.


To subscribe to the SANS Network Digest for $80 per year, send e-mail to sans@clark.net. The subject line should say
"Subscribe SANS Digest," and the body should include your name, job title,
organization and postal address.


It takes a different set of weapons to do battle with e-mail spammers.


Visit the Energy Department's Computer Incident Advisory Capability site for a good
list of spamming countermeasures at http://ciac.llnl.gov/ciac/bulletins/i-005a.shtml.


CIAC suggests filtering mail at the mail client or mail server level, by scanning
header information, mailer type and IP addresses. Compare the information against a list
of filters for specific addresses, routings or key words in headers. As a last resort, the
filters could block all mail sent from certain addresses.


It's most effective to do the filtering on the server side so the spam stays off your
LAN. Doing this requires adding rules to the configuration settings for the mail system.
Users have to forward any spam that gets through to the administrator for analysis of the
headers, which is a maintenance headache.


The CIAC report cites a list of mail packages popular with mass mailers. Be careful
about blocking all mail from certain mail handlers or addresses known to be associated
with spamming.


You risk stripping out your users' legitimate messages. It's safer to ask your Internet
provider to drop certain interdomain routes via the Border Gateway Protocol, and to set
router access lists to implement packet filtering for suspect IP addresses.


The site at http://spam.abuse.net/spam/tools/ipblock.html details how to use Transmission Control Protocol wrappers and host routing tables to
control what domains connect to your system and what they can send.


For other ideas on blocking spam from your entire site, see http://spam.abuse.net/spam/tools/mailblock.html.


Shawn P. McCarthy is a computer journalist, webmaster and Internet programmer for GCN's
parent, Cahners Publishing Co. E-mail him at smccarthy@cahners.com.


inside gcn

  • open doors to cloud (Sergey Nivens/Shutterstock.com)

    New vendors join FedRAMP Connect

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above