Re: [linux-security] Re: Bind Overrun Bug and Linux (fwd)

[Shaun <shaun lexicom ab ca>]

> >  For example, LRK config defaults:
> > 	/dev/ttyp*
> > These files are quite noticable, as *no* files in /dev/ should be of type
> > f (regular file) except MAKEDEV.  They should be of only type: c/b/s.  A
> > simple 'find /dev -type f' will report all of the regular file types.
> 
> On the other hand, don't presume that your attacker is totally inept
> and will therefore stay with the LRK defaults; I have seen a case
> where the config files were changed to /usr/lib/lib[pqrs].o for
> example.

I was writing under the assumption that the person you are dealing with is
a mere rootshell kid.  Hiding a file is easy, there are many places to put
it without being noticed.  But it seams most hackers enjoy putting things
in the default place, maybe they are too stupid or lazy?

I like to keep a recursive ls -lR on hand, and diff that nightly too with
a master copy.  These little things are good prevention tools. 

If your hacker is not totally inept, then I think it is fair to say
that you have more of a problem than just LRK.

On a side note, many people rely on firewalls too much.  This gives them a
false sense of security.  I still believe that you must incorporate both
local and remote security of machines to have them truly(partially?)
secure.  It's a given fact that most machines behind the firewall are open
to connect to each other without any intervention.  If the person you are
dealing with is crafty, he will attack the weakest link on the network,
and that is where most bigger organizations fall, i.e. .edu sites.

Personally, I like to also secure the box locally, removing the unused
suid binaries, shutting services down, sticking to an SSH only policy.
All these little things help.

Oh well, Regards. :)