Re: No Security is Bad Security:

From: Russell Fulton (r.fultonat_private)
Date: Thu Feb 04 1999 - 12:25:38 PST

Next message: Kragen Sitaker: "Re: WebRamp M3 Perceived Bug"

Previous message: Simon Karpen: "Re: Linux /usr/bin/lpc overflow"
Maybe in reply to: John \: "No Security is Bad Security:"
Next in thread: Scott: "Re: No Security is Bad Security:"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 3 Feb 1999 08:33:10 -0800 "Jan B. Koum" <jkbat_private> wrote:

>
> > 1) Don't log in as root on a machine that most likely has been
> > compromised. Bsd things can happen.
>
>         You have to login as root to shutdown the system. You don't
>         want to 'just turn it off' since you can loose data.

I guess the rule should be 'Do the minimum necessary as root'  and be
aware that your normal tools may be trojaned.

>
> > 3) Do *immediately* take the machine offline, and mount the disks on
> > another system for analysis.
>
>         True. Dont' forget to mount rdonly,noexec,nosuid,nodev
> 	(mentioned about and some flags are redundant).

Errr... I must be thick!  how can you take the machine offline and
still have disks mounted on another system?  Do you mean physically
take the diisks and install them in another box or boot up on a CDROM?

For intel based systems you could reboot the system on a floppy with
Trinux or picoBSD.

>
> > 1) we have no firewall nor tcpd running, so there is no effective access
> > control or access logging. We have incredibly primitive router filtering,
> > which eliminates only the most basic of IP-spoofing attacks.
>
> 	You can install ipf if you are on solaris. Or get a FreeBSD with
> 	two nics and use that as your firewall.

We use TAMU's drawbridge.  It seems well adapted to a university
enviroment where things are forever changing.

>
> > 6) we did not purchase or implement any Intrusion Detection Software.
> > [IDS]
>
> 	http://www.l0pht.com/NFR
> 	http://www.nfr.com

Also the SANS CIDER project at http://www.nswc.navy.mil/ISSEC/CID/
and Argus IP audit tool at ftp://ftp.sei.cmu.edu/pub/argus  - this
isn't an intrusion detection system per se, it is an audit tool and I
have written some perl scripts that use it for detecting scans etc.

>
> >
> > Not using tripwire cost us a lot, in that a) we had to rebuild every last
> > GNU program from source, and b) we did not have it available as a means of
> > detecting 'wrongness' on a production system.
>

I have tried using Tripwire but have never managed to overcome the lack
of non writable media storing the executables and database.  Also the
amount of work involved in keeping the data base up to date is non
trivial in our enviroment.

Cheers, Russell.

Computer Security Officer, The University of Auckland, New Zealand.

Next message: Kragen Sitaker: "Re: WebRamp M3 Perceived Bug"
Previous message: Simon Karpen: "Re: Linux /usr/bin/lpc overflow"
Maybe in reply to: John \: "No Security is Bad Security:"
Next in thread: Scott: "Re: No Security is Bad Security:"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:37 PDT