[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] SFTP on Raq4 as Root?

Subject: Re: [cobalt-security] SFTP on Raq4 as Root?
From: Ake Brannstrom <ake@xxxxxxxxxxx>
Date: Sun, 5 Aug 2001 14:26:25 +0200
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> > > "rm /bin/su" then you might find yourself locked out of your own box..

> > To be honest, if "Mr BadGuy" has root privilege on your box, that's the
> > least of your worries!

> Actually it's going to be your first thing to worry about.... Remember...
> You need it before you can do anything as root....  Now if you can't do
> anything and you allow your box to continue to scan the gov....  You might

To be honest, it wouldn't be the first thing to worry about. If "Mr BadGuy" 
does want to shut you out, he can do that effectively by other means. 

If one of my systems got hacked, I would do the following: 

1. Remove the machine from the network

2. Boot from a safe media, meaning that all the binaries are intact. I 
usually boot from a CD. Don't know if this is possible on the Raq4

3. Examine the system carefully to find out how they got in and what they 
did. 

4. Notify the administrators on the system the attack originated from, as 
well as those that were attacked. 

5. Take a full backup. 

6. Reinstall a new, clean system. 

7. Secure the system, i.e. apply all available patches, disable all 
unnecessary services, install all relevant security software and, very 
important, redirect all system logs to a "completely" secure system that is 
only being used for this purpose. 

8. Connect the system to the network again, and give new passwords to the 
users and/or force them to change their passwords as appropriate. 

If you have checksums of all your binaries you could possibly skip step 6. I 
use a software called tripwire to check the integrity of my binaries and 
files. 

Observe that all these steps can be carried through regardless of wether the 
attacker tried to shut you out or not. The one exception I could think of 
would be if you have encrypted file systems. I do, on one machine, but so far 
I haven't had to deal with that problem. 

It's also very likely that this procedure can be improved greatly, because, 
after all, I am the most underpaid administrator in the western world, and 
that must mean something. 

Sincerely, 
Ake Brannstrom

Follow-Ups:
- Re: [cobalt-security] Security Practices (WAS: SFTP on Raq4 as Root?)
  - From: Ted Behling

References:
- Re: [cobalt-security] SFTP on Raq4 as Root?
  - From: David
- Re: [cobalt-security] SFTP on Raq4 as Root?
  - From: Stephen Rice
- Re: [cobalt-security] SFTP on Raq4 as Root?
  - From: Zeffie

Prev by Date: Re: [cobalt-security] SFTP on Raq4 as Root?
Next by Date: Re: [cobalt-security] Security Practices (WAS: SFTP on Raq4 as Root?)
Previous by thread: Re: [cobalt-security] SFTP on Raq4 as Root?
Next by thread: Re: [cobalt-security] Security Practices (WAS: SFTP on Raq4 as Root?)

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index