Re: How do I protect against rootkits



"Allison" <fireflyblue@xxxxxxxxx> (06-07-04 08:19:19):

So, if I protect my services using grsecurity and pax, the attacker
cannot compromise any services running on my machine. If I am careful
not to visit shady websites and not download email attachments, what
are the other ways the attacker can compromise my system? I am mostly
looking at random attacks here (discovering my ip through a portscan
and finds my machine is vulnerable)

Wrong. As Unruh pointed out already, PaX protects your services from
being compromised by exploiting most well-known bugs (including
buffer/heap overflows and some similar bugs). Grsecurity (which PaX is
part of) provides you with options to strengthen system security (mostly
local), e.g. role-based access control, trusted path execution, chroot
jail restrictions for root jails, and so on. Very handy, even for
desktops and workstations, where multiple users have access to (maybe
simultaneously, as in my case).


Could OS vulnerabilities can be one way ? Can people think of other
ways and how to protect against those ?

I don't understand your question, but I guess you are talking about
system vulnerabilities like kernel bugs. You can protect against
compromisation of certain bugs in user-space (like 'su', 'sudo' or
'cron' bugs), by establishing a well organized access control system
(where grsecurity or SELinux enter the game). Some bugs become
meaningless, when PaX is active. The particular program still crashes,
but does not lead to system compromisation or even information
disclosure.

The story changes for kernel bugs. Some distributions have shown to be
immune against some bugs in the past (like the mremap() bug), but mostly
your system will become insecure, if there are known kernel bugs.
Unfortunately, most severe kernel bugs lead to privilege escalation,
even beyond root level access. You can protect against them by giving
users only as much access as they really need to do their work --
including yourself.


Last, but not least: Keep your system up to date. This includes
utilizing your distribution's package manager as much as possible. Many
people rent a root server, and then install programs by downloading
their source and compiling it by hand. That's a security hazard, as
those programs don't get updated by the package manager. Don't do
this.


Regards,
E.S.
.



Relevant Pages

  • Re: lockup.zonelabs.com
    ... software and media piracy that they are writing protections into their ... I agree they have every right to protect themselves from illegal use ... And without adding more bugs to an already infested program! ... > I had a problem with ZoneAlarm always wanting to connect to the internet. ...
    (comp.security.firewalls)
  • Re: I got et up
    ... bodies to protect themselves from bugs. ... They just tolerate the bites ... As a related thing to the mud, I know concrete dust is a mosquito ...
    (rec.boats)
  • Re: Buffer overflow prevention
    ... of StackGuard: it is an intrusion prevention technique, ... fault where buffer overflow bugs appear. ... StackGuard and ProPolice only ... ProPolice does not protect functions containing arrays of length 7 or ...
    (Bugtraq)
  • Re: Linux Security is a Joke.
    ... There are a lot of types of exploits: format bugs, injection bugs, stack ... crackers / hackers) focus on win and linux and bsd. ... The original unix kernel isn't used today. ... E. You state you'd rather have app bugs than kernel bugs. ...
    (alt.os.linux)
  • multiple bugs in 2.6.32.4-ZEN5 : EIP@SpinLock+10 / SATA Exception Frozen / no MTRR
    ... Well, I played for a while with Slax-Remix, and it spurts out quite many errors at me, all centered around bugs that appear to be kernel bugs. ... I'm too lazy to write it down, but I made a screenshot: ...
    (Linux-Kernel)