[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] SFTP on Raq4 as Root?
- Subject: Re: [cobalt-security] SFTP on Raq4 as Root?
- From: Ake Brannstrom <ake@xxxxxxxxxxx>
- Date: Sun, 5 Aug 2001 14:26:25 +0200
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> > > "rm /bin/su" then you might find yourself locked out of your own box..
> > To be honest, if "Mr BadGuy" has root privilege on your box, that's the
> > least of your worries!
> Actually it's going to be your first thing to worry about.... Remember...
> You need it before you can do anything as root.... Now if you can't do
> anything and you allow your box to continue to scan the gov.... You might
To be honest, it wouldn't be the first thing to worry about. If "Mr BadGuy"
does want to shut you out, he can do that effectively by other means.
If one of my systems got hacked, I would do the following:
1. Remove the machine from the network
2. Boot from a safe media, meaning that all the binaries are intact. I
usually boot from a CD. Don't know if this is possible on the Raq4
3. Examine the system carefully to find out how they got in and what they
did.
4. Notify the administrators on the system the attack originated from, as
well as those that were attacked.
5. Take a full backup.
6. Reinstall a new, clean system.
7. Secure the system, i.e. apply all available patches, disable all
unnecessary services, install all relevant security software and, very
important, redirect all system logs to a "completely" secure system that is
only being used for this purpose.
8. Connect the system to the network again, and give new passwords to the
users and/or force them to change their passwords as appropriate.
If you have checksums of all your binaries you could possibly skip step 6. I
use a software called tripwire to check the integrity of my binaries and
files.
Observe that all these steps can be carried through regardless of wether the
attacker tried to shut you out or not. The one exception I could think of
would be if you have encrypted file systems. I do, on one machine, but so far
I haven't had to deal with that problem.
It's also very likely that this procedure can be improved greatly, because,
after all, I am the most underpaid administrator in the western world, and
that must mean something.
Sincerely,
Ake Brannstrom