Re: Feedback solicited - best way to harden a mail/web server?

From: Alan Frame (alan.frame@acm.org)
Date: 12/29/02

• Next message: Alan Frame: "Re: Feedback solicited - best way to harden a mail/web server?"
• Previous message: Kasper Dupont: "Re: Comparing encrypted passwords"
• In reply to: Jim Levie: "Re: Feedback solicited - best way to harden a mail/web server?"
• Next in thread: /dev/rob0: "Re: Feedback solicited - best way to harden a mail/web server?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: alan.frame@acm.org (Alan Frame)
Date: Sun, 29 Dec 2002 11:20:24 +0000

Jim Levie <jim@entrophy-free.net> wrote:

[Snip lots of good stuff]

> Case in point... There was a recent security advisory for
> the Sendmail distribution. Someone broke in and inserted a trojan into the
> source distribution. There were two ways to avoid being bitten. One was to
> verify the download via the published signatures (which weren't compromised
> and is always a good idea) and the other was to simply not execute the build
> as root. The trojan was installed as a part of the build process and if you
> did that as root...

3. Don't build on a internet-routed box[0] - IIRC the trojan only
affected the build box, not any boxen where the binary was deployed.

Or even simpler:
4. Don't let random internal boxes open random UDP connections to the
outside - Egress filtering saves the day - again!.

rgds, Alan
[0] q.v. the recent Apache/SSL worn - don't leave gcc sitting around on
your webserver...

-- 
99 Ducati 748BP, 95 Ducati 600SS, 81 Guzzi Monza, 74 MV Agusta 350
"Ride to Work, Work to Ride" SI# 7.067 DoD#1930 PGP Key 0xBDED56C5

---

• Next message: Alan Frame: "Re: Feedback solicited - best way to harden a mail/web server?"
• Previous message: Kasper Dupont: "Re: Comparing encrypted passwords"
• In reply to: Jim Levie: "Re: Feedback solicited - best way to harden a mail/web server?"
• Next in thread: /dev/rob0: "Re: Feedback solicited - best way to harden a mail/web server?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: firewall securing outgoing traffic? ... > real damage (you must run the trojan as root, ... users run their system as root anyway, ... > problem on Linux ATM. ... clerks and pizza-boys (who do work with computers) are not supposed ... (comp.os.linux.security) Re: Remove all admin->root authorization prompts from OSX ... Being a member of the admin group is NOT 100% equal to being root. ... A trojan that gets control of an admin's session should not be able to escalate itself to root without a password prompt, which requires a human to decide yes I do want to increase the authority of this process. ... (Bugtraq) Re: Remove all admin->root authorization prompts from OSX ... Maybe a cracker could write a trojan that esclates itself using the powers of the admin group, but why make it easier for those who don't know how? ... host:/tmp1 sysmsimkin$ id ... host:/tmp1 root# exit ... (Bugtraq) Re: VM Rootkits: The Next Big Threat? (PC Magazine) ... Such close relationships with hardware allow the OS to be ... they were trojan backdoored unix binary executables offering ... remote root access to the attacker that installed them. ... actual hardware and the so-called "rootkit" act as the platform for it. ... (alt.comp.anti-virus) Re: ubuntu-users Digest, Vol 53, Issue 235 ... Such a Trojan could sleep for a long time and then wake ... reasonably well managed (don't use root, use sudo, that sort of thing). ... A program with a back door would be very hard to write cross platform. ... (Ubuntu)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)