Re: Have I been kitted?

From: Matthew Berg (galt@gothpoodle.com)
Date: 06/27/02 

From: Matthew Berg <galt@gothpoodle.com>
To: Justin Coffey <justin@websocietyinc.com>
Date: 27 Jun 2002 08:47:36 -0400

On Tue, 2002-06-18 at 14:35, Justin Coffey wrote:
 
> This is totally valid. It just sort of depends on what your agenda is
> upon discovery of a compromise. I know it's not always the best practice,
> but I generally just try to expell them as quickly as possible and then
> make sure they can't get back in as best I can.

It's definitely dependent on the situation. If you've reason to believe
the compromise may lead to data loss, data leak, or further compromises
I would definitely say get the hacker out ASAP. Though I would be more
prone to simply yanking the network cable if its feasible.

Ideally you would always have a chance to study the suspicious
connection, remove the machine from production, study the compromise,
back up the data, reinstall, and only put it back into production when
you're comfortable that the machine is secure. But I definitely
understand that this isn't necessarily possible in the real world, where
a server going offline would cause an interuption of service. :)
 
> Personally, I just keep multiple precompiled kernels, with their
> corresponding System.map files lying around. On our network we have 3
> different SCSI cards and two different NICs. I keep 3 kernels (one for
> each SCSI card with two NIC drivers enabled). And of course, that's no
> substitute for having an up to date box. We have the luxury of having a
> security guy here (well he just came on board), whose primary task is just
> making sure we're secure (not other sys admin maintenance/install duties).

Yeah, it's not that huge an issue building a few different kernels. But
all in all I find my time is better spent at things other than building
and packages multiple kernels, tracking what machines get which, and
trying to massage our roll out system to handle multiple variants of the
same version of the same package.

We're just reaching the end of migrating every Intel machine to the
exact same platform, exact same base package list, same exact additional
packages based on machine class (e.g. smtp server, web server), etc,
etc. And to be honest, I like that I can update all of them from the
same packages without having to worry about whether this one gets
version A of the package, or that one gets version B of the package. :)

Matt

Relevant Pages

  • Re: Strange process causing network trouble
    ... through Apache HTTPD ... compromise my LAN by bringing a laptop in or whatever. ... I don't know what you've got for a confidence checker in your package ...
    (comp.os.linux)
  • Re: Some thoughts about anti-virus software for Linux
    ... could use this scripts to compromise your system if he can make you to ... but if you install from compromised media and/or run untrusted ... In theory an anti-malware program could check the package scripts ...
    (Ubuntu)
  • Re: Recent Fedora Core kernels (plus my SPEC file for 2.6.8-1.541 with Athlon support)
    ... > I assume the package name change was because the ARCH has changed. ... > I assume this is to differentiate between UML ... the gain Athlon gave previously is, in 2.6 kernels, now a runtime option ...
    (Fedora)
  • Re: damn small linux not (dsl_n)
    ... except it didn't find my wlan: ... but you need to use 2.6 kernels. ... If you want a similarly small distro, take a look at Puppy Linux ... There is a package manager in Puppy, ...
    (comp.os.linux.misc)
  • Re: CLiki and ALU Wiki sites massively spammed
    ... It also requires you trust Wiki authors not to make ... > making a fake package if your current version has known exploits. ... If my DNS has been hit by spoofing or the host they use is ... this is not one host compromise but two: ...
    (comp.lang.lisp)