[9337] in bugtraq
Re: No Security is Bad Security:
daemon@ATHENA.MIT.EDU (Jan B. Koum)
Thu Feb 4 13:15:45 1999
Date: Wed, 3 Feb 1999 08:33:10 -0800
Reply-To: "Jan B. Koum" <jkb@BEST.COM>
From: "Jan B. Koum" <jkb@BEST.COM>
X-To: Kevin Day <toasty@HOME.DRAGONDATA.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199902030750.BAA00373@home.dragondata.com>; from Kevin Day on
Wed, Feb 03, 1999 at 01:50:20AM -0600
[aleph: feel free to pick out certain points and cut others out]
On Wed, Feb 03, 1999 at 01:50:20AM -0600, Kevin Day <toasty@HOME.DRAGONDATA.COM> wrote:
> >
> > Mistakes Made in Incidence Response:
> > -----------------------------------
> >
> > 1) Don't log in as root on a machine that most likely has been
> > compromised. Bsd things can happen.
> >
> > 2) Don't go around blithely executing binaries. (I feel rather stupid
> > about that)
> >
> > 3) Do *immediately* take the machine offline, and mount the disks on
> > another system for analysis.
>
>
> If mounting on another system, and your OS supports it, mount with the
> 'noexec' option, to make sure you don't accidently infect another system, as
> well as the rdonly flag to make sure you don't damage evidence. You may also
> want to consider 'noatime', to keep things really pristine, if you don't go
> 'ro'.
>
> noexec Do not allow execution of any binaries on the mounted
> file system. This option is useful for a server that has
> file systems containing binaries for architectures other
> than its own.
>
>
>
> Kevin
I would like to bring up another big point the author of the original
email forgot: wardialing. No matter how much you port scan, you will
find something that surprises you when you wardial. Honest.
Ok.. there is more then one point in this eMail:
> 1) Don't log in as root on a machine that most likely has been
> compromised. Bsd things can happen.
You have to login as root to shutdown the system. You don't
want to 'just turn it off' since you can loose data.
> 3) Do *immediately* take the machine offline, and mount the disks on
> another system for analysis.
True. Dont' forget to mount rdonly,noexec,nosuid,nodev
(mentioned about and some flags are redundant).
> 1) we have no firewall nor tcpd running, so there is no effective access
> control or access logging. We have incredibly primitive router filtering,
> which eliminates only the most basic of IP-spoofing attacks.
You can install ipf if you are on solaris. Or get a FreeBSD with
two nics and use that as your firewall.
> 6) we did not purchase or implement any Intrusion Detection Software.
> [IDS]
http://www.l0pht.com/NFR
http://www.nfr.com
>
> Not using tripwire cost us a lot, in that a) we had to rebuild every last
> GNU program from source, and b) we did not have it available as a means of
> detecting 'wrongness' on a production system.
Take a look at how FreeBSD/NetBSD/OpenBSD makes a use of CVS/CVSup
to bring you things like 'make world' or 'make build'.. will make
rebuild from source very easy. No GNU though. Well.. I'll stop here.
-- Yan
I don't have the password .... + Jan Koum
But the path is chainlinked .. | Spelled Jan, pronounced Yan. There.
So if you've got the time .... | Web: http://www.best.com/~jkb
Set the tone to sync ......... + OS: http://www.FreeBSD.org
