Bugtraq mailing list archives
Re: No Security is Bad Security:
From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Fri, 5 Feb 1999 09:25:38 +1300
On Wed, 3 Feb 1999 08:33:10 -0800 "Jan B. Koum" <jkb () BEST COM> wrote:
1) Don't log in as root on a machine that most likely has been compromised. Bsd things can happen.You have to login as root to shutdown the system. You don't want to 'just turn it off' since you can loose data.
I guess the rule should be 'Do the minimum necessary as root' and be aware that your normal tools may be trojaned.
3) Do *immediately* take the machine offline, and mount the disks on another system for analysis.True. Dont' forget to mount rdonly,noexec,nosuid,nodev (mentioned about and some flags are redundant).
Errr... I must be thick! how can you take the machine offline and still have disks mounted on another system? Do you mean physically take the diisks and install them in another box or boot up on a CDROM? For intel based systems you could reboot the system on a floppy with Trinux or picoBSD.
1) we have no firewall nor tcpd running, so there is no effective access control or access logging. We have incredibly primitive router filtering, which eliminates only the most basic of IP-spoofing attacks.You can install ipf if you are on solaris. Or get a FreeBSD with two nics and use that as your firewall.
We use TAMU's drawbridge. It seems well adapted to a university enviroment where things are forever changing.
6) we did not purchase or implement any Intrusion Detection Software. [IDS]http://www.l0pht.com/NFR http://www.nfr.com
Also the SANS CIDER project at http://www.nswc.navy.mil/ISSEC/CID/ and Argus IP audit tool at ftp://ftp.sei.cmu.edu/pub/argus - this isn't an intrusion detection system per se, it is an audit tool and I have written some perl scripts that use it for detecting scans etc.
Not using tripwire cost us a lot, in that a) we had to rebuild every last GNU program from source, and b) we did not have it available as a means of detecting 'wrongness' on a production system.
I have tried using Tripwire but have never managed to overcome the lack of non writable media storing the executables and database. Also the amount of work involved in keeping the data base up to date is non trivial in our enviroment. Cheers, Russell. Computer Security Officer, The University of Auckland, New Zealand.
Current thread:
- No Security is Bad Security: John \ (Feb 02)
- More oshare testing. C.J. Oster (Feb 02)
- Re: More oshare testing. Jeff Roberson (Feb 03)
- Re: No Security is Bad Security: com-nospam () CCRAIG ORG (Feb 04)
- Re: More oshare testing. Alan Cox (Feb 04)
- Re: More oshare testing. Cristiano Lincoln Mattos (Feb 05)
- Re: More oshare testing. Dariusz Zmokly (Feb 04)
- Re: More oshare testing. Jeff Roberson (Feb 03)
- Re: No Security is Bad Security: Kevin Day (Feb 02)
- Re: No Security is Bad Security: Jan B. Koum (Feb 03)
- Re: No Security is Bad Security: Russell Fulton (Feb 04)
- Re: No Security is Bad Security: Jan B. Koum (Feb 03)
- Re: No Security is Bad Security: ecx (Feb 04)
- Update on w00w00 article (bug report) Shok (Feb 04)
- <Possible follow-ups>
- Re: No Security is Bad Security: Donald Moore (Feb 04)
- Re: No Security is Bad Security: der Mouse (Feb 04)
- Re: No Security is Bad Security: Taral (Feb 04)
- Re: No Security is Bad Security: Scott (Feb 04)
- More oshare testing. C.J. Oster (Feb 02)