[aleph: feel free to pick out certain points and cut others out] On Wed, Feb 03, 1999 at 01:50:20AM -0600, Kevin Day <toastyat_private> wrote: > > > > Mistakes Made in Incidence Response: > > ----------------------------------- > > > > 1) Don't log in as root on a machine that most likely has been > > compromised. Bsd things can happen. > > > > 2) Don't go around blithely executing binaries. (I feel rather stupid > > about that) > > > > 3) Do *immediately* take the machine offline, and mount the disks on > > another system for analysis. > > > If mounting on another system, and your OS supports it, mount with the > 'noexec' option, to make sure you don't accidently infect another system, as > well as the rdonly flag to make sure you don't damage evidence. You may also > want to consider 'noatime', to keep things really pristine, if you don't go > 'ro'. > > noexec Do not allow execution of any binaries on the mounted > file system. This option is useful for a server that has > file systems containing binaries for architectures other > than its own. > > > > Kevin I would like to bring up another big point the author of the original email forgot: wardialing. No matter how much you port scan, you will find something that surprises you when you wardial. Honest. Ok.. there is more then one point in this eMail: > 1) Don't log in as root on a machine that most likely has been > compromised. Bsd things can happen. You have to login as root to shutdown the system. You don't want to 'just turn it off' since you can loose data. > 3) Do *immediately* take the machine offline, and mount the disks on > another system for analysis. True. Dont' forget to mount rdonly,noexec,nosuid,nodev (mentioned about and some flags are redundant). > 1) we have no firewall nor tcpd running, so there is no effective access > control or access logging. We have incredibly primitive router filtering, > which eliminates only the most basic of IP-spoofing attacks. You can install ipf if you are on solaris. Or get a FreeBSD with two nics and use that as your firewall. > 6) we did not purchase or implement any Intrusion Detection Software. > [IDS] http://www.l0pht.com/NFR http://www.nfr.com > > Not using tripwire cost us a lot, in that a) we had to rebuild every last > GNU program from source, and b) we did not have it available as a means of > detecting 'wrongness' on a production system. Take a look at how FreeBSD/NetBSD/OpenBSD makes a use of CVS/CVSup to bring you things like 'make world' or 'make build'.. will make rebuild from source very easy. No GNU though. Well.. I'll stop here. -- Yan I don't have the password .... + Jan Koum But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. So if you've got the time .... | Web: http://www.best.com/~jkb Set the tone to sync ......... + OS: http://www.FreeBSD.org
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:25 PDT