Re: Not wanting to send my box to τ Ceti

Hey C.!

Thank you for the recomendation of an IDS. Maybe a stupid question... but can this IDS work parallel to chrootkit?? Or will one corrupt the other?

C. (http://symcbean.blogspot.com/) wrote:
On Sep 9, 9:58 pm, "tuuttuutt...@xxxxxxx" <tuuttuutt...@xxxxxxx>
wrote:
Thanks a lot David!

I started using linux in 1999 (redhat) but I never knew that there
actually was a firewall in the kernel... Never bothered about it either
actually :-)
Learning the chrootkit output will be quite a nice challenge to tackle I
think.
And yes the 2.3.28.11 is the latest release... Compiling a new kernel
isn`t that much of a problem though, I`ll check that out this weekend
(nice project :-)

Thanks again for your helpful comments!

David W. Hodgins wrote:
On Tue, 08 Sep 2009 18:10:26 -0400, tuuttuutt...@xxxxxxx
<tuuttuutt...@xxxxxxx> wrote:
-1- firewall, preferably one with all the ports closed as default so I
The kernel has a firewall built-in called netfilter. The tables to control
it can be setup using the iptables command, or you can install a firewall
configuration tool, such as shorewall. Once you configure shorewall, as to
which interface(s) should be filtered, the default is all inbound new
connections are blocked. There are several gui applications to simplify
the shorewall configuration, such as webmin.
-2- rootkit detector
chkrootkit, but beware of false positives for the LKM trojan and threads
being reported as hidden processes. Get used to what is normally in the
report, ignore those, and just watch for new additions.
-3- any (on-line) reading about java vulnerabilities on linux. Google
As long as you have the latest version, you should be ok.
Kernel 2.3.28.11 generic
Is this the latest release of linux mint? I'm running Mandriva 2009.1,
using the kernel 2.6.29.6-1 kernel. There have been security updates
for the kernel, recently, so you need to find a newer version, or
possibly switch distributions, to get one.
Regards, Dave Hodgins

I'd second the recommendation of chkrootkit.

If you're that concerned about security, consider using a host IDS
(like tripwire or L5).

There is little scope for intrinsic vulnerabilities in a programming
language (although Java does have some complex and abstract APIs on
top of the network functionality) but there is huge scope for
introducing vulnerabilities in the code written in a particular
language.

C.
.

Relevant Pages

  • Re: *ICN - A Conspiracy of Inertia?
    ... So their software basically is trend based IDS? ... levels or content] breaks the trend beyond certain parameters and the kernel ... > founders of cylant and their technical people a couple weeks back, ... > after a period of measurement on a mail server, ...
    (Focus-IDS)
  • Re: [PATCH] move eject code from zd1211rw to usb-storage
    ... code to another wireless driver and need to support these devices. ... but in this case the vendor reused IDs. ... The legacy kernel space switcher and user space would race. ... modeswitch code for both into udev and out of the kernel. ...
    (Linux-Kernel)
  • Re: [stable] Wanted: Allow adding new device IDs during the -stable cycle
    ... The very large majority of users out there use a distro kernel, ... config option at startup that adds the ids to the drivers through sysfs. ... patch, i.e. we don't just diff the device tables. ... That's a quirk addition, not a new device id following the above ...
    (Linux-Kernel)
  • Re: C99 Initialisers
    ... > Greg KH wrote: ... But the kernel, using C code, uses those ids to match drivers to ... The idea was that since the kernel already keeps track of these ids, ... send the line "unsubscribe linux-kernel" in ...
    (Linux-Kernel)