Re: securing system after giving away root password

From: Huge (huge_at_ukmisc.org.uk)
Date: 09/20/05

• Previous message: matt_left_coast: "Re: Use iptables to block all non-US ssh traffic"
• In reply to: matt_left_coast: "Re: securing system after giving away root password"
• Next in thread: matt_left_coast: "Re: securing system after giving away root password"
• Reply:(deleted message) matt_left_coast: "Re: securing system after giving away root password"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 20 Sep 2005 08:06:11 GMT

matt_left_coast <not@chance.org> writes:
>Huge wrote:
>
>> "Tuncay Sari" <no@spam.net> writes:
>>
>> [13 lines snipped]
>>
>>>How can I check that they ONLY changed some network files? How can I know
>>>they didn't install any software infringing linux security? Or copied my
>>>programs?
>>
>> You can't.
>>
>>>
>>>Of course I'll have a detailed look at any entries in /var/log. But what
>>>else can I do?
>>
>> Tripwire the machine in advance.
>>
>>
>
>It may well be that even if you have tripwire running, you can not be sure
>it you were not exploited. The person that has root could do ANYTHING they
>want, including editing tripwire logs, re-running tripwire to think that a
>root kited system is the way everyting has ever been. Even if you have it
>configured to send out Email, that could be prevented.
>
>One of the best things to do, in advance, is to have a remote log server and
>have all logs, including sudo logs sent to a totally different server. Then
>don't give out root, but only sudo and an end user password. Anything that
>is done would be logged in such a way that the person could not alter the
>logs....

And all they have to do is bring the machine up standalone and your remote
logging's worth squat.

-- 
       "The road to Paradise is through Intercourse."
        [email me at huge [at] huge [dot] org [dot] uk]

---

• Previous message: matt_left_coast: "Re: Use iptables to block all non-US ssh traffic"
• In reply to: matt_left_coast: "Re: securing system after giving away root password"
• Next in thread: matt_left_coast: "Re: securing system after giving away root password"
• Reply:(deleted message) matt_left_coast: "Re: securing system after giving away root password"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: securing system after giving away root password ... It may well be that even if you have tripwire running, ... root kited system is the way everyting has ever been. ... have all logs, including sudo logs sent to a totally different server. ... (comp.os.linux.security) Re: tripwire log checking ... Hacker, when login to the server, will most likely modify current file syslog file, which is constantly growing. ... I am not sure tripwire can detect changes in this case. ... This criteria is used to verify that logs have not been modified. ... (Security-Basics) Re: [Full-disclosure] Linux big bang theory.... ... Tripwire: place the signatures on non-alterable storage, ... I've added a function to hide the script from showing up on Samhain ... in the logs to Samhain. ... Hosted and sponsored by Secunia - http://secunia.com/ ... (Full-Disclosure) Re: tripwire log checking ... Hey dolf, ... What you want to do is use the growing criteria set. ... This criteria is used to verify that logs have not been modified. ... I'm assuming you are using tripwire enterprise. ... (Security-Basics) Re: Tripwire config ??? ... > Check permissions on the key file. ... > .Xauthority may not be there if root is not logged in. ... > some games with my tripwire configs. ... scheduled Triipwire reports are run unattended via cron, ... (Fedora)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2005-09