Re: More rootkit defense

[Phil Stracchino <alaric () BABCOM COM>]

On Wed, Mar 28, 2001 at 06:15:56PM -0500, gabriel rosenkoetter wrote:
> On Tue, Mar 27, 2001 at 10:23:35AM -0800, Phil Stracchino wrote:
> > True, but why not exploit their weaknesses while they're available?
>
> There's always the cockroach/virus principle.
>
> Teach them about chattr (especially with a script that does the work
> for you... hrm, doesn't that sound familiar?), and it'll be
> accounted for next time around.
>
> I don't see why any of this is a substitute to upgrading your name
> servers to a safe version of BIND, running it as an unprivileged
> user, and chroot'ing it.

Oh, I never for one second suggested that it was; merely that it was a
simple additional precaution that the skript-kiddies appear to have
overlooked for now.  If a simple additional precaution against automated
compromise is available, not using it merely because it's not in itself
foolproof and might become ineffective in the future is shortsighted and
foolish.  That's like not bothering to lock the door of your house when
you go away on vacation because a burglar might conceivably pick the lock,
or not getting a tetanus booster because it won't protect you against
hepatitis.


> Suggesting you can't afford the outtage to upgrade to BIND9 is
> ridiculous considering the outtage that rebuilding a machine causes.

Is BIND9 stable yet?  Last time I looked (which was only a few weeks ago),
the cautions on the ISC site gave me the strong impression that it was
considered to be still in beta, supported only a subset of BIND8
functionality, and in general was not recommended for use on production
systems.



--
 Linux Now!   ..........Because friends don't let friends use Microsoft.
 phil stracchino   --   the renaissance man   --   mystic zen biker geek
    Vr00m:  2000 Honda CBR929RR   --   Cage:  2000 Dodge Intrepid R/T
 Previous vr00mage:  1986 VF500F (sold), 1991 VFR750F3 (foully murdered)