On Wed, 3 Feb 1999 08:33:10 -0800 "Jan B. Koum" <jkbat_private> wrote: > > > 1) Don't log in as root on a machine that most likely has been > > compromised. Bsd things can happen. > > You have to login as root to shutdown the system. You don't > want to 'just turn it off' since you can loose data. I guess the rule should be 'Do the minimum necessary as root' and be aware that your normal tools may be trojaned. > > > 3) Do *immediately* take the machine offline, and mount the disks on > > another system for analysis. > > True. Dont' forget to mount rdonly,noexec,nosuid,nodev > (mentioned about and some flags are redundant). Errr... I must be thick! how can you take the machine offline and still have disks mounted on another system? Do you mean physically take the diisks and install them in another box or boot up on a CDROM? For intel based systems you could reboot the system on a floppy with Trinux or picoBSD. > > > 1) we have no firewall nor tcpd running, so there is no effective access > > control or access logging. We have incredibly primitive router filtering, > > which eliminates only the most basic of IP-spoofing attacks. > > You can install ipf if you are on solaris. Or get a FreeBSD with > two nics and use that as your firewall. We use TAMU's drawbridge. It seems well adapted to a university enviroment where things are forever changing. > > > 6) we did not purchase or implement any Intrusion Detection Software. > > [IDS] > > http://www.l0pht.com/NFR > http://www.nfr.com Also the SANS CIDER project at http://www.nswc.navy.mil/ISSEC/CID/ and Argus IP audit tool at ftp://ftp.sei.cmu.edu/pub/argus - this isn't an intrusion detection system per se, it is an audit tool and I have written some perl scripts that use it for detecting scans etc. > > > > > Not using tripwire cost us a lot, in that a) we had to rebuild every last > > GNU program from source, and b) we did not have it available as a means of > > detecting 'wrongness' on a production system. > I have tried using Tripwire but have never managed to overcome the lack of non writable media storing the executables and database. Also the amount of work involved in keeping the data base up to date is non trivial in our enviroment. Cheers, Russell. Computer Security Officer, The University of Auckland, New Zealand.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:37 PDT