[2283] in linux-security and linux-alert archive
[linux-security] Re: Programming ...
daemon@ATHENA.MIT.EDU (Zygo Blaxell)
Tue Nov 30 18:07:58 1999
From: hgtaesml@umail.furryterror.org (Zygo Blaxell)
Content-type: multipart/signed; boundary="----------=_943977441-19787-0"; micalg="pgp-sha1"; protocol="application/pgp-signature"
Message-Id: <slrn847t0v.dhq.zblaxell@washu.furryterror.org>
Date: Tue, 30 Nov 1999 15:58:24 GMT
To: <linux-security@redhat.com>
Resent-From: linux-security@redhat.com
Signed message created at Tue Nov 30 10:57:23 1999 by zblaxell@washu
------------=_943977441-19787-0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
On Sat, 27 Nov 1999 22:42:21 GMT, Antonomasia <ant@notatla.demon.co.uk> wro=
te:
>From: Wade Maxfield <maxfield@ctelcom.net>
>> In one case I saw, a perp deleted /etc/hosts.deny, ran adduser to crea=
te
>> user rewt, then telnetted into the system. /etc/hosts.deny is now "chat=
tr
>> -i". What stopped the perp in that case was that /etc/skel/.bashrc had =
an
>> exit at the end of the script. He was immediately logged out and went
>> away. He was using the buffer overflow in named 4.9.6 to do it.
>
>Was that "chattr +i" ? What difference does it make against root ?
Multiple redundant security measures, even not entirely effective ones,
can stop casual attackers. It would not stop someone who really wanted
_your_ box. This comes down to the question of what you're trying to
protect: do you want security enough to keep people out, no matter what
the cost, or only enough to make people with short attention spans give
up and move on to the next target?
If you have an attacker who is determined enough to attack daemons with
custom machine code (custom enough to cope with not having a /bin/sh, a
telnetd or similar access protocol, chattred files everywhere, stripped
down libc.so, and to figure out how to get all this through a restrictive
firewall), then trivial measures such as /etc/hosts.deny won't help you.
I have found from personal experience that most attackers who do penetrate
a daemon are unable to cope with non-trivial routing and firewall rules
afterwards, even though all this stuff can be controlled from the root
account which they just compromised, and the configuration is not very
complicated (basically two ethernet cards and IP masq is too hard for
most intruders to understand, especially if eth0 is on the inside).
It is very expensive to keep a determined attacker out of your machine.
You would have to strip the box of anything that didn't contribute
directly to functionality or security, and employ external measures such
as code review (have you read your Linux kernel sources lately?),
content-filtering firewalls, and dedicated human monitoring as well.
--=20
I don't speak for Corel. zygob@corel.ca at work, zblaxell@furryterror.org
at play. GPG-encrypted email preferred at zblaxell@feedme.hungrycats.org
GPG fingerprint: 2B32 546D 21A5 0DB2 20C8 AF10 1D4A 610E 6972 2DEE
GPG public key: http://www.hungrycats.org/~zblaxell/gpg-public.txt
------------=_943977441-19787-0
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQA4Q/PiHUphDmlyLe4RAm40AJ9Z+NYG6OdDwq4xfgPB9D6orgCWpwCfQAjn
LN9X+jB8ByOB14VLR5xANEU=
=OTSr
-----END PGP SIGNATURE-----
------------=_943977441-19787-0--
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
