Date: Mon, 8 Dec 2003 11:23:35 -0800 (PST) From: Dorin H <bj93542@yahoo.com> To: Craig Riter <criter@riter.com> Cc: freebsd-security@freebsd.org Subject: Re: possible compromise or just misreading logs Message-ID: <20031208192335.59444.qmail@web12609.mail.yahoo.com> In-Reply-To: <000b01c3bce5$a411f9c0$65ffa8c0@EOS>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi there, About file integrity check (only one piece of the puzzle, but a necessary one): Use aide (last tripwire is yet to be updated -do not compile-, see maintainer work). To prevent the mentioned attacks, keep your hashes OFF your box. To compute/verify hashes, always boot from a secure live cd. Downside: you have to do this at each update. To maintain the level of security, try something like: 1. boot secure cd 2. verify the hashes by comparing to the last version from the external source (use a log, better than override previous hashes). 3. If ok, do the update (have your sources downloaded locally before and verified; the FreeBSD online update system is yet to be secured: see list discussion) [Paranoia: 4.boot again your safe cd and recompute & save the new hashes] 4. Recompute the new hashes and save them externally. Add-on. You should do this offline to remove the window of opportunity in step 3, while updating the tracked files. Hope this helps, /Dorin. PS. If you have a Web server, I'd rather start by add at least some kind of firewall and an external syslog before thinking og the file integrity check anyway. > Second, what are people using for intrusion > detection? This is something I > have thought about but never really thought I > needed until now. > __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20031208192335.59444.qmail>