Re: Have I been kitted?

From: Matthew Berg (galt@gothpoodle.com)
Date: 06/16/02 

From: Matthew Berg <galt@gothpoodle.com>
To: Justin Coffey <justin@websocietyinc.com>
Date: 16 Jun 2002 10:18:09 -0400

On Thu, 2002-06-13 at 20:33, Justin Coffey wrote:
>
> > One thing I forgot to mention in my last mail - I have seen an attacker
> > be tricky enough to set up firewall rules that only allowed their
> > machine to connect to their backdoor, so it wouldn't show up on a scan.
>
> Well, you can always fix that by replacing your kernel with a Known Good
> One (tm) that has ip filtering/tables/chains/whatever disabled and no
> loadable module support. I recommend canning loadable module support
> anyway, on any sort of server (it's not like you're going to change the
> hardware config that often...)

Yeah, I was mentioning it more as a possible scenario where a machine
would show all ports filtered to a security scan, but still be open to a
hacker that I was looking for ways to detect this :)

As I mentioned, another way to confirm you're getting valid information
would be to check for consistency of the kernel symbol table against the
System.map. I have something of an aversion to rebooting a machine
suspected of compromise simply because some backdoors may not start on a
reboot (either by design or by accident).

And honestly the chance of a compromise of this sort isn't high enough
for me to lose the benefits of a single module enable kernel across all
my machines. No, I may not change hardware on an individual machine all
that often, but taking the entire server pool into account, I have three
different SCSI drivers, three different NIC drivers, etc, etc, and
that's even with the majority of our hardware being from the same
vendor.

Granted, priorities might be different on other people's networks. But
the risk of having loadable modules enabled is fairly small so long as
you keep up to date on all relevent patches, filter any and all traffic
down to the bare minimum, keep machines private that don't need to be
publicly accessible, and perform regular audits.

Matt

Relevant Pages

  • kernel BUG at mm/slab.c:610
    ... I'm experimenting this kernel panic on 3 different ... I don't think this is related to buggy hardware ... Filesystem "hda1": Disabling barriers, not supported by the ... # ACPI Support ...
    (Linux-Kernel)
  • Re: [PATCH tip/core/rcu 0/21] v6 add lockdep-based diagnostics to rcu_dereference()
    ... RCU infrastructure in place, the next eight use this infrastructure in the ... some of the remaining will be triggered only by hardware I don't have ... access to and kernel features I am unfamiliar with. ... # AX.25 network device drivers ...
    (Linux-Kernel)
  • Re: PROBLEM: cannot get stable system since 2.6.28 kernel (amd64)
    ... Philippe> well, I don't really believe in hardware problem for two ... Philippe> older kernel, everything works like a charm, every time I ... Philippe> I haven't any "overclocking" settings, and every hardware ... # Device Drivers ...
    (Linux-Kernel)
  • BUG: soft lockup in 2.6.25.5
    ... hardware, ... Running CentOS 5.2 with a kernel.org kernel ... # PCI IDE chipsets support ... # Input Device Drivers ...
    (Linux-Kernel)
  • Re: [PATCH] xen: core dom0 support
    ... Despite all the noise made about kvm in kernel circles, ... For example, Xen manages to use new hardware virtualization features pretty quickly, partly because it doesn't need to trade-off against normal kernel functions. ... We end up mapping the event channels back to irqs and they are delivered as normal interrupts as far as the rest of the kernel is concerned. ...
    (Linux-Kernel)