Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Bind8 exploit and a deleted partition map

From: Crist Clark <crist.clark () GLOBALSTAR COM>
Date: Tue, 13 Feb 2001 14:29:24 -0800
Derek Kwan wrote:


Well after my box was rooted and trashed (all drives were trashed clean!)
few yrs back (via nfs buffer overflow bug)

1) Backup your Servers!


Yep.


2) Keep your software version updated


It's tough, but try, try, and have an idea about priorities. Which
needs to be fixed by end of the week, which by end of the day, and
which needs to be turned off NOW until it is fixed.


3) Delete any software (esp. daemon) if you don't plan to use them


OK, this is the reason for my reply. I think this may be uneccessarily
strong. The key is do not RUN any daemons you do not need. Just having
a file of non-setuid, executable code sitting on the hard drive is of
very little risk. Figuring out what can and can't be TURNED OFF without
hurting desired functionality on something like a Sun box is hard enough
for novice (and even experienced) admin. Starting to nuke non-setuid
files on disk willy-nilly is not something I would recommend unless you
really, really know what you are doing. Even for setuid, I'd recommend
flipping setuid bits and leaving the file intact.


4) Monitor your syslogs (atleast take a peek at it few times a day)


This can be really tough if you are watching a couple of dozen boxes.


5) Back up your servers (did I said that before?)


Yep. Feel free to say it again too.


Install Tripwire to protect your files like your inetd.conf or
ssh_random_seed...


Tripwire does not really protect files, but monitors for changes.
I think that is what you mean? And if you have a ssh_random_seed
to protect (and I can't think of how it is meaningful to try),
upgrade your SSH so you don't.
--
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com
Previous By Date Next
Previous By Thread Next

Current thread: