[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Found file in /dev: "h"



> Ok, thats right. I only angry about the crackers (yes, an important
> difference!). But you know, it is nearly imposible to make a system
> invulnerable - or better: I believe it.

Depends on how dumb or wise someone setups a box:

- no uneccessary services
- neccessary services run as unser and not as root, if impossible your a
wrapper or better chroot them
- whisely choose the daemons you run
- no weak passwords
- update your system to up2date files
- run ids (file and network ids) software and often parse the logfiles
- write your own scripts to parse logfiles with important notes only and
often parse them
- get proven root-kit-detection-scripts
- if you have more than one server let all servers take a specific role
(e.g.: db-server, dhcp-server&firewall, webserver, corporate syslog-server)
- if you got a bigger network build two firewalls with one in front of the
internet and one in front of your network connected to each other (minimal
system with own kernel and no network services activated), build in the
first one a dmz and a honeypod that logs all activity
- subscribe to different security mailinglists and follow the threads
- don't overprotect a system so it's a challenge for some persons (there are
enough weak servers on the net, so most kiddies search the more vulnerable
ones)
- some experience is needed as well, but much can be read on the net or you
get help of more familliar persons on the net

Most intrusions come from:

- weak passwords
- old service-daemons
- unsecure services
- unsatisfied employees
- the own network
- careless operation with data/data-security

To get behind an intrusion:

- leave system as is and don't change any data, otherwise no later forensic
investigation will be possible
- backup the system and run a forensic analysis on a trusted machine (you
get data-patterns on the net and useful free software for that purpose as
well)
- unplug system from network
- exchange system agains honeypod and log activities

With the last thing you can find what's going on and trace the intruders
back to their origin.

Philippe


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here