[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Stable server hacked

On Thu, Aug 07, 2003 at 07:03:13PM +0200, Thijs Welman wrote:
> Hi,
> Thanks. I forgot to mantion that i am subscribed to 
> debian-security-announce as well (ofcourse ;)). As far as the kernel 
> updates are concerned: i use my own kernel. At this moment that's 2.4.21 
> with Alan Cox' patches (ac4). Could be there's an exploit in that 
> kernelversion. Maybe i should consider to go back to a 
> debian-packagekernel...
> Anyone any comment on or experience with debian vs custom kernels?

Generally if there is a kernel exploit, it is only used to get
root from some other account. The way they get in is though some
server app with a hole in it (known or not known).

For over 2 years I've been running stable debian with Debian
kernel without any problems, well, until someone broke in.

So, now I don't run a Debian kernel at all - only a monolithic
(no modules) kernel with grsecurity.net patches. Then I set
up the ACL system (more or less) so that all of the services
that can be used to break into the system are quite useless for the attacker.
For example, apache can only execute from paths that it cannot
write to. Heck, same for root but apache can't even see /bin, etc..

The only problem was with SSH since if that is compromised, you
get root. So I would suggest to only allow selected IPs to 
access SSH to provent someone from the other side to "loggin in".

ACLs are a bitch to set up, but then even if an attacker manages
to break though an app into into your box, they will not
be allowed to do anything :)  Well, at least with grsecurity it should
be more difficult to compromise a box by a few orders of magnitude..

- Adam

PS. Needless to say, I would recommend grsecurity for server machines :)

Reply to: