Bugtraq mailing list archives
Re: No Security is Bad Security:
From: jkb () BEST COM (Jan B. Koum)
Date: Wed, 3 Feb 1999 08:33:10 -0800
[aleph: feel free to pick out certain points and cut others out] On Wed, Feb 03, 1999 at 01:50:20AM -0600, Kevin Day <toasty () HOME DRAGONDATA COM> wrote:
Mistakes Made in Incidence Response: ----------------------------------- 1) Don't log in as root on a machine that most likely has been compromised. Bsd things can happen. 2) Don't go around blithely executing binaries. (I feel rather stupid about that) 3) Do *immediately* take the machine offline, and mount the disks on another system for analysis.If mounting on another system, and your OS supports it, mount with the 'noexec' option, to make sure you don't accidently infect another system, as well as the rdonly flag to make sure you don't damage evidence. You may also want to consider 'noatime', to keep things really pristine, if you don't go 'ro'. noexec Do not allow execution of any binaries on the mounted file system. This option is useful for a server that has file systems containing binaries for architectures other than its own. Kevin
I would like to bring up another big point the author of the original email forgot: wardialing. No matter how much you port scan, you will find something that surprises you when you wardial. Honest. Ok.. there is more then one point in this eMail:
1) Don't log in as root on a machine that most likely has been compromised. Bsd things can happen.
You have to login as root to shutdown the system. You don't want to 'just turn it off' since you can loose data.
3) Do *immediately* take the machine offline, and mount the disks on another system for analysis.
True. Dont' forget to mount rdonly,noexec,nosuid,nodev (mentioned about and some flags are redundant).
1) we have no firewall nor tcpd running, so there is no effective access control or access logging. We have incredibly primitive router filtering, which eliminates only the most basic of IP-spoofing attacks.
You can install ipf if you are on solaris. Or get a FreeBSD with two nics and use that as your firewall.
6) we did not purchase or implement any Intrusion Detection Software. [IDS]
http://www.l0pht.com/NFR http://www.nfr.com
Not using tripwire cost us a lot, in that a) we had to rebuild every last GNU program from source, and b) we did not have it available as a means of detecting 'wrongness' on a production system.
Take a look at how FreeBSD/NetBSD/OpenBSD makes a use of CVS/CVSup to bring you things like 'make world' or 'make build'.. will make rebuild from source very easy. No GNU though. Well.. I'll stop here. -- Yan I don't have the password .... + Jan Koum But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. So if you've got the time .... | Web: http://www.best.com/~jkb Set the tone to sync ......... + OS: http://www.FreeBSD.org
Current thread:
- No Security is Bad Security: John \ (Feb 02)
- More oshare testing. C.J. Oster (Feb 02)
- Re: More oshare testing. Jeff Roberson (Feb 03)
- Re: No Security is Bad Security: com-nospam () CCRAIG ORG (Feb 04)
- Re: More oshare testing. Alan Cox (Feb 04)
- Re: More oshare testing. Cristiano Lincoln Mattos (Feb 05)
- Re: More oshare testing. Dariusz Zmokly (Feb 04)
- Re: More oshare testing. Jeff Roberson (Feb 03)
- Re: No Security is Bad Security: Kevin Day (Feb 02)
- Re: No Security is Bad Security: Jan B. Koum (Feb 03)
- Re: No Security is Bad Security: Russell Fulton (Feb 04)
- Re: No Security is Bad Security: Jan B. Koum (Feb 03)
- Re: No Security is Bad Security: ecx (Feb 04)
- Update on w00w00 article (bug report) Shok (Feb 04)
- <Possible follow-ups>
- Re: No Security is Bad Security: Donald Moore (Feb 04)
- Re: No Security is Bad Security: der Mouse (Feb 04)
- Re: No Security is Bad Security: Taral (Feb 04)
- Re: No Security is Bad Security: Scott (Feb 04)
- More oshare testing. C.J. Oster (Feb 02)