[lug] Weird permission changing

Chip Atkinson chip at rmpg.org
Thu Jan 24 09:48:42 MST 2002 

Actually a few months ago I got cracked and sshd, ps, ls, dir, and some
other files all turned up to have the same date and time.  I reinstalled
the os, since it was in need of an upgrade and a disk was on its last
legs.  The whole experience left me a little paranoid now.  I believe it
was some bind exploit, but I'm not positive.

Anyway, I'm beginning to see why security people favor separate machines
for DNS, Web, login, etc.  The thing though is that I don't want to have a
whole fleet of machines running all the time.

The trimming down idea is really good too.  I'll probably start doing just
that to the machine.

Thanks for the advice.

Chip


On Thu, 24 Jan 2002, Rob Nagler wrote:

> Chip Atkinson writes:
> > On a related note, I was thinking of ways to make that machine more secure
> > without crippling performance.  I thought of mounting /bin /usr/bin /sbin
> > and /usr/sbin read only, but also though of burning a cd with all that on
> > it and mounting the cd instead.  It seems reasonable to me since many
> > things would be in buffer cache after a little bit.
>
> If someone could modify /bin, etc., they are in pretty deep at that
> point.  I used to use tripwire. It's pretty good, but hard to
> configure properly.
>
> I have always been concerned with net downloads.  It would be trivial
> for someone to add some malicious or insecure code to just one
> infrequently used program.  How do I valdate random programs?  I don't
> think I can.
>
> Rather, I try to avoid running anything as root.  Another thing is to
> trim down production machines.  I don't care so much that my
> workstation gets cracked, but I do care if one of our servers with
> customer credit cards, SSNs, etc. gets cracked.  I once stripped SunOS
> to about 200 files.  That was all that was on the machine.  I knew the
> reason for every file.  It was an interesting experience, but
> certainly tedious.  I still had to trust the programs, but my trusted
> computer base was small.
>
> Auditing is critical.  You should process your logs nightly at least.
> Our machines get attacked almost continuously.  I like to see the
> messages in the logs.  We strip out common stuff, but we see every
> incorrect login attempt, every relay attempt, etc.  Save all your
> logs.  We're very paranoid so we save every ethernet packet for a full
> week (on both sides of our production front-ends).  It's invaluable in
> debugging, and we actually used it to follow an alleged crack, which
> turned out not to be one, fortunately.
>
> Rob
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>

More information about the LUG mailing list