Re: Server hacked - next...?

[Frode Haugsgjerd <froh@froh.dyndns.org>]

On Tue, Jul 01, 2003 at 10:07:01AM +0800, Jason Lim wrote:
> 
> > As Russell Coker points out, the attaccer probably  got in trough
-snipp- 
> DOH... I just posted saying that in my previous email before reading his
> message! Bah... Russell gets credit for it ;-)

Not easy to say who said that first, as my previous mail took 
a day and a half to get troug the list.

> >
> > Mount /tmp with noexec
> > Run a hardened kernel like NSA or Grsecurity.
> > etc.
> >
> 
> What would the advantage of mounting /tmp with noexec be??

An attacker can't upload his ptrace or whatever exploit to tmp and 
execute it.
A recent automated attack against Apache (1.3 something) failed because
i have /tmp mounted noexec.

Another cool, and hopefully effective restraining of apache and others
that i implemented in iptables yesterday:

# This stops apache from connecting to anything else than imap2
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 143 -d localhost \
        -m owner --uid-owner www-data -m state \
        --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -m owner --uid-owner www-data -m state \
        --state NEW -j REJECT

This requires a custom kernel with ipt_owner as module or static.
> 
> Definitely looking into running a hardend kernel now... especially after
> all this crap. Only thing that's been holding me back is the amount of
> work it would entail.....

I run Grsecurity for /proc restrictons, safer chroot, and protection
against kernel exploits like the ptrace bug.
That didn't take too long to get running.

Disclaimer: 	I have not tested any of this in production, 
		as i am a student.

--
Frode Haugsgjerd
Norway