Re: Server hacked - next...?
- To: debian-isp@lists.debian.org
- Subject: Re: Server hacked - next...?
- From: Frode Haugsgjerd <froh@froh.dyndns.org>
- Date: Tue, 1 Jul 2003 11:55:26 +0200
- Message-id: <[🔎] 20030701095526.GA28320@sjefen.linux.cxm>
- In-reply-to: <001301c33f75$761fe0b0$0800a8c0@SYSTEM8>
- References: <Pine.LNX.4.43.0306290156100.10730-100000@blackhole.quasar.net> <05d501c33e0e$2ac03650$0800a8c0@SYSTEM8> <20030629104805.GE14343@sjefen.linux.cxm> <001301c33f75$761fe0b0$0800a8c0@SYSTEM8>
On Tue, Jul 01, 2003 at 10:07:01AM +0800, Jason Lim wrote:
>
> > As Russell Coker points out, the attaccer probably got in trough
-snipp-
> DOH... I just posted saying that in my previous email before reading his
> message! Bah... Russell gets credit for it ;-)
Not easy to say who said that first, as my previous mail took
a day and a half to get troug the list.
> >
> > Mount /tmp with noexec
> > Run a hardened kernel like NSA or Grsecurity.
> > etc.
> >
>
> What would the advantage of mounting /tmp with noexec be??
An attacker can't upload his ptrace or whatever exploit to tmp and
execute it.
A recent automated attack against Apache (1.3 something) failed because
i have /tmp mounted noexec.
Another cool, and hopefully effective restraining of apache and others
that i implemented in iptables yesterday:
# This stops apache from connecting to anything else than imap2
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 143 -d localhost \
-m owner --uid-owner www-data -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -m owner --uid-owner www-data -m state \
--state NEW -j REJECT
This requires a custom kernel with ipt_owner as module or static.
>
> Definitely looking into running a hardend kernel now... especially after
> all this crap. Only thing that's been holding me back is the amount of
> work it would entail.....
I run Grsecurity for /proc restrictons, safer chroot, and protection
against kernel exploits like the ptrace bug.
That didn't take too long to get running.
Disclaimer: I have not tested any of this in production,
as i am a student.
--
Frode Haugsgjerd
Norway
Reply to: