On Sat, 27 Nov 1999 22:42:21 GMT, Antonomasia <ant notatla demon co uk> wrote: >From: Wade Maxfield <maxfield ctelcom net> >> In one case I saw, a perp deleted /etc/hosts.deny, ran adduser to create >> user rewt, then telnetted into the system. /etc/hosts.deny is now "chattr >> -i". What stopped the perp in that case was that /etc/skel/.bashrc had an >> exit at the end of the script. He was immediately logged out and went >> away. He was using the buffer overflow in named 4.9.6 to do it. > >Was that "chattr +i" ? What difference does it make against root ? Multiple redundant security measures, even not entirely effective ones, can stop casual attackers. It would not stop someone who really wanted _your_ box. This comes down to the question of what you're trying to protect: do you want security enough to keep people out, no matter what the cost, or only enough to make people with short attention spans give up and move on to the next target? If you have an attacker who is determined enough to attack daemons with custom machine code (custom enough to cope with not having a /bin/sh, a telnetd or similar access protocol, chattred files everywhere, stripped down libc.so, and to figure out how to get all this through a restrictive firewall), then trivial measures such as /etc/hosts.deny won't help you. I have found from personal experience that most attackers who do penetrate a daemon are unable to cope with non-trivial routing and firewall rules afterwards, even though all this stuff can be controlled from the root account which they just compromised, and the configuration is not very complicated (basically two ethernet cards and IP masq is too hard for most intruders to understand, especially if eth0 is on the inside). It is very expensive to keep a determined attacker out of your machine. You would have to strip the box of anything that didn't contribute directly to functionality or security, and employ external measures such as code review (have you read your Linux kernel sources lately?), content-filtering firewalls, and dedicated human monitoring as well. -- I don't speak for Corel. zygob corel ca at work, zblaxell furryterror org at play. GPG-encrypted email preferred at zblaxell feedme hungrycats org GPG fingerprint: 2B32 546D 21A5 0DB2 20C8 AF10 1D4A 610E 6972 2DEE GPG public key: http://www.hungrycats.org/~zblaxell/gpg-public.txt
Attachment:
pgp00001.pgp
Description: PGP signature