Re: possible compromise or just misreading logs

From: Dorin H (bj93542_at_yahoo.com)
Date: 12/08/03

Next message: Petri Riihikallio: "Re: LKM support (Was: Re: possible compromise or just misreading logs)"

Previous message: Damian Gerow: "LKM support (Was: Re: possible compromise or just misreading logs)"
In reply to: Craig Riter: "possible compromise or just misreading logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 8 Dec 2003 11:23:35 -0800 (PST)
To: Craig Riter <criter@riter.com>

Hi there,
About file integrity check (only one piece of the
puzzle, but a necessary one):

Use aide (last tripwire is yet to be updated -do not
compile-, see maintainer work).
To prevent the mentioned attacks, keep your hashes OFF
your box. To compute/verify hashes, always boot from a
secure live cd.
Downside: you have to do this at each update. To
maintain the level of security, try something like:

1. boot secure cd
2. verify the hashes by comparing to the last version
from the external source (use a log, better than
override previous hashes).
3. If ok, do the update (have your sources downloaded
locally before and verified; the FreeBSD online update
system is yet to be secured: see list discussion)
[Paranoia: 4.boot again your safe cd and recompute &
save the new hashes]
4. Recompute the new hashes and save them externally.

Add-on. You should do this offline to remove the
window of opportunity in step 3, while updating the
tracked files.

Hope this helps,
/Dorin.

PS. If you have a Web server, I'd rather start by add
at least some kind of firewall and an external syslog
before thinking og the file integrity check anyway.

> Second, what are people using for intrusion
> detection? This is something I
> have thought about but never really thought I
> needed until now.
>

__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

Next message: Petri Riihikallio: "Re: LKM support (Was: Re: possible compromise or just misreading logs)"

Previous message: Damian Gerow: "LKM support (Was: Re: possible compromise or just misreading logs)"
In reply to: Craig Riter: "possible compromise or just misreading logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Making a weak Hash stronger until a fix comes along -- concatenation of hash functions...
... > The code relating to using the hashes would have to be rewritten, ... Better idea, use Whirlpool or SHA-512, or SHA-256, or any other secure one, ...
(sci.crypt)
Re: SHA-1 broken
... I might actually say that a concatenation of two hashes ... is very secure if the two hashes are sufficiently different. ... Although MD5 and SHA1 are reasonably similar, ...
(Bugtraq)