[lug] Weird permission changing

Ferdinand Schmid fschmid at archenergy.com
Thu Jan 24 14:24:41 MST 2002 

Chip Atkinson wrote:

> Actually a few months ago I got cracked and sshd, ps, ls, dir, and some
> other files all turned up to have the same date and time.  I reinstalled
> the os, since it was in need of an upgrade and a disk was on its last
> legs.  The whole experience left me a little paranoid now.  I believe it
> was some bind exploit, but I'm not positive.
> 
> Anyway, I'm beginning to see why security people favor separate machines
> for DNS, Web, login, etc.  The thing though is that I don't want to have a
> whole fleet of machines running all the time.
> 
> The trimming down idea is really good too.  I'll probably start doing just
> that to the machine.


Maybe some day RedHat will also offer a minimal install.  I find it much easier 
to build my system up with what I need rather than having to delete what I don't 
need.  Some other distros (TurboLinux, SuSE and most likely more) offer this and 
other help like <<hardening>> scripts.


> 
> Thanks for the advice.
> 
> Chip
> 
> 
> On Thu, 24 Jan 2002, Rob Nagler wrote:
> 
> 
>>Chip Atkinson writes:
>>
>>>On a related note, I was thinking of ways to make that machine more secure
>>>without crippling performance.  I thought of mounting /bin /usr/bin /sbin
>>>and /usr/sbin read only, but also though of burning a cd with all that on
>>>it and mounting the cd instead.  It seems reasonable to me since many
>>>things would be in buffer cache after a little bit.
>>>
>>If someone could modify /bin, etc., they are in pretty deep at that
>>point.  I used to use tripwire. It's pretty good, but hard to
>>configure properly.
>>
>>I have always been concerned with net downloads.  It would be trivial
>>for someone to add some malicious or insecure code to just one
>>infrequently used program.  How do I valdate random programs?  I don't
>>think I can.
>>
>>Rather, I try to avoid running anything as root.  Another thing is to
>>trim down production machines.  I don't care so much that my
>>workstation gets cracked, but I do care if one of our servers with
>>customer credit cards, SSNs, etc. gets cracked.  I once stripped SunOS
>>to about 200 files.  That was all that was on the machine.  I knew the
>>reason for every file.  It was an interesting experience, but
>>certainly tedious.  I still had to trust the programs, but my trusted
>>computer base was small.
>>
>>Auditing is critical.  You should process your logs nightly at least.
>>Our machines get attacked almost continuously.  I like to see the
>>messages in the logs.  We strip out common stuff, but we see every
>>incorrect login attempt, every relay attempt, etc.  Save all your
>>logs.  We're very paranoid so we save every ethernet packet for a full
>>week (on both sides of our production front-ends).  It's invaluable in
>>debugging, and we actually used it to follow an alleged crack, which
>>turned out not to be one, fortunately.
>>
>>Rob
>>
>>_______________________________________________
>>Web Page:  http://lug.boulder.co.us
>>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>>
>>
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 


-- 
Ferdinand Schmid
http://www.archenergy.com
303-444-4149

More information about the LUG mailing list