To edit the page, the password is go
From: "Karsten M. Self" <kmself at ix.netcom.com> To: svlug at lists.svlug.org Message-ID: <20050422152810.GD26885 at localhost> Mail-Followup-To: svlug at lists.svlug.org References: <20050421161921.1592.qmail at web40428.mail.yahoo.com> Mime-Version: 1.0 In-Reply-To: <20050421161921.1592.qmail at web40428.mail.yahoo.com> If you want to take some extra steps: - Set up strong passwords. Disable remote root access. Use sudo. Don't allow remote password authentication (use SSH RSAKey auth instead). - Minimize your services. Run only what you _need_ to run. If a service doesn't need to accept external traffic, configure it not to either directly or via IP filtering. "shorewall" is one of several decent IP filter wrapper / front-end tools, I've had good luck with it. - Read your system logs. Note unusual activity. - Subscribe *at the very least* to your distro's security announcements mailing list. Your distro doesn't have one? I'd consider this a grave strike against it. You may also want to subscribe to more general lists including Bugtraq. - Set up a remote logging host and ship your system logs to it. Restrict services/activities on that box to the minimum required to log and access the box (console, SSH if you must). This will preserve more system state in the event of a compromise. - Run an IDS (intrusion detection system). 'snort' is one of the more common ones. These are _all_ pretty crufty and take some tuning and getting used to, but it's a good investment. - Run a system integrity checker. The combination of AIDE + Tripwire, where AIDE monitors your system files, and Tripwire montiors your AIDE files, has much to recommend itself. For information pertaining to Debian (much of which is generally applicable) you can start here: http://www.debian.org/security/ --------------------------------------------------------------------------- From: Rick Moen <rick at linuxmafia.com> Subject: Re: [svlug] Need help with diagnosing compromised Linux system X-BeenThere: svlug at lists.svlug.org X-Mailman-Version: 2.1.6b4 Precedence: list List-Id: "discussion list for the Silicon Valley Linux Users Group." <svlug.lists.svlug.org> Quoting John Conover (conover at rahul.net): > If its necessary to have a writable system, (like for a mail spool, > dynamic web pages, etc.,) the live CD can boot and fstab a HD with the > noexec option to mount, making a system that is robust against > executing anything that was not put in the system on the CD. Oh no! I could be blocked from doing nasty things: $ mount | grep tmp /dev/sda7 on /tmp type ext2 (rw,noexec,nosuid,nodev) $ cd /tmp $ cp /bin/date . $ ./date bash: ./date: Permission denied Curses! Foiled again. But wait: $ /lib/ld-linux.so.2 ./date Fri Apr 22 11:37:01 PDT 2005 Yay! H4X0R tech wins again. (Not saying it's not worth doing; just be aware that it's easily circumvented by the clueful.) <#include selinux-fixes-this-problem_advert_here>