Re: Commonly Trojaned Linux services
From: CJ (hah@notonyerlife.com)Date: 03/22/02
- Next message: Nick Battle: "Re: change password"
- Previous message: Anders Larsen: "Re: kapm_idled"
- Maybe in reply to: CJ: "Commonly Trojaned Linux services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "CJ" <hah@notonyerlife.com> Date: Fri, 22 Mar 2002 10:17:15 GMT
"Dave Wreski" <dave@guardiandigital.com> wrote in message
news:3C93BA08.11047988@guardiandigital.com...
>
> > > Why not just use AIDE? Run a --check every night at $midnight and every
day
> > > just before your daily security upgrade process, then a --init immediately
> > > afterwards.
> >
> > Running one check a day is not good enough for my purposes. The reason I
wrote
> > the script was to have a very fast, very small checking utility. It runs
once a
> > minute. Anything longer than that and a hacker could notice it running and
stop
> > it. If you are checking once a day, the hacker probably has about 12 hours
to
> > get the system to send you a dummy report indicating everything is ok.
>
> Who's going to do all the administration involved with checking the
> reports so frequently? It sounds like what you might need is a way to
> prevent the filesystem from being modified in the first place.
>
> I'm one of the developers of EnGarde Secure Linux, which includes
> kernel-level ability to prevent files from being modified in the first
> place, as well as open source Web-based tripwire to double-check just in
> case. It was designed to solve this particular problem.
>
> You can find more information at http://www.engardelinux.org.
>
> > It runs on a "trust no one" principle and it even uses it's own smtp client.
>
> EnGarde uses postfix, and a web-based management system over SSL to
> administrate it.
>
> Best,
> Dave
>
> --
> Dave Wreski
> Corporate Manager Guardian Digital, Inc.
> (201) 934-9230 Pioneering. Open Source. Security.
> dave@guardiandigital.com http://www.guardiandigital.com
There is no administration of reports unless there is a problem. The script runs
in the background and only sends "panic" emails.
As for modifying files in the first place, I've managed to get root mounted
read-only, which should prevent a lot of problems.
This script is in turn watched by another script ( lol ) which does regular
checks to ensure that the network device is up, httpd is running etc.
Thanks for the thoughts though Dave.
CJ
--------------------------------------------------------------------------
Year 2000 never bothered me.
It's year 65536 that I'm worried about
--------------------------------------------------------------------------
H4x0R : I'm way cooler than you! I got 40 scrypts that can kill yer machine
sysop : Heh! Yeah right!
w33n3r: Yeah. I can nail you from here man ... gimme your ip and you're toast!
l4m3rz: Yeah .. we rock .. we're gonna fry your machine
sysop : Ok, I dare ya ... My ip is 127.0.0.1
H4x0R : ##Disconnected##
w33n3r: ##Disconnected##
l4m3rz: ##Disconnected##
- Next message: Nick Battle: "Re: change password"
- Previous message: Anders Larsen: "Re: kapm_idled"
- Maybe in reply to: CJ: "Commonly Trojaned Linux services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
