Re: process identification

[Andrew Pretzl <arp () norlight com>]

On 05/04/2004 10:41:06 AM Stijn De Weirdt wrote:




> > and what can be done against rootkits? (apart from good firewall).

I'd start by loading the OS in a minimal configuration and not using a
modular kernel. By compiling the kernel yourself (more work) you can
prevent the installation of some of the modular rootkits.  Then harden the
OS using bastille linux (www.bastille-linux.org). If the system is exposed
to the internet without being behind a firewall you may want to consider
using iptables. Finish configuring the server & then install the open
source version of tripwire and baseline your system. You can set tripwire
up to run integrity check via a cron job & have it e-mail the output so you
can see if something has changed. Running chkrootkit periodically is a good
idea also. If possible, have the server send syslog info to another server
in a more secure portion of your network.
Good luck!

AP



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------