From owner-freebsd-security@FreeBSD.ORG  Mon Dec  8 11:30:19 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8163D16A4CE
	for <freebsd-security@freebsd.org>;
	Mon,  8 Dec 2003 11:30:19 -0800 (PST)
Received: from web12609.mail.yahoo.com (web12609.mail.yahoo.com
	[216.136.173.179])
	by mx1.FreeBSD.org (Postfix) with SMTP id B5AC643D09
	for <freebsd-security@freebsd.org>;
	Mon,  8 Dec 2003 11:30:15 -0800 (PST)
	(envelope-from bj93542@yahoo.com)
Message-ID: <20031208192335.59444.qmail@web12609.mail.yahoo.com>
Received: from [128.226.68.47] by web12609.mail.yahoo.com via HTTP;
	Mon, 08 Dec 2003 11:23:35 PST
Date: Mon, 8 Dec 2003 11:23:35 -0800 (PST)
From: Dorin H <bj93542@yahoo.com>
To: Craig Riter <criter@riter.com>
In-Reply-To: <000b01c3bce5$a411f9c0$65ffa8c0@EOS>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
cc: freebsd-security@freebsd.org
Subject: Re: possible compromise or just misreading logs
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Dec 2003 19:30:19 -0000

Hi there,
About file integrity check (only one piece of the
puzzle, but a necessary one):

Use aide (last tripwire is yet to be updated -do not
compile-, see maintainer work).  
To prevent the mentioned attacks, keep your hashes OFF
your box. To compute/verify hashes, always boot from a
secure live cd. 
Downside: you have to do this at each update. To
maintain the level of security, try something like:

1. boot secure cd 
2. verify the hashes by comparing to the last version
from the external source (use a log, better than
override previous hashes).
3. If ok, do the update (have your sources downloaded
locally before and verified; the FreeBSD online update
system is yet to be secured: see list discussion)
[Paranoia: 4.boot again your safe cd and recompute &
save the new hashes]
4. Recompute the new hashes and save them externally.

Add-on. You should do this offline to remove the
window of opportunity in step 3, while updating the
tracked files.

Hope this helps,
/Dorin.

PS. If you have a Web server, I'd rather start by add
at least some kind of firewall and an external syslog
before thinking og the file integrity check anyway. 

> Second, what are people using for intrusion
> detection?  This is something I
> have thought about but never really thought I
> needed until now.
> 


__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/