Re: hardening checkpoints
On Thu, 15 Dec 2005, kevin bailey wrote:
> Alvin Oga wrote:
> > On Thu, 15 Dec 2005, kevin bailey wrote:
> >> was recently rootkitted on a debian machine because i'd left an obscure
> >> service running.
> > if you know how they got in .. i assume oyu have since fixed it
> my guess it was the miniserv.pl run by webmin - it had a security problem
> which does not seem to have been address by debian.
webmin thingie's can be good or bad .. :-)
> another possibility was zope - it had had soem of its files altered.
one can alter any files once they got in ..
> definitely - the first machine was a try out machine - and i'd installed
> loads of stuff on it.
i consider all my machines to be "first machines to test" and all
important data saved on other test machines
> now i have two machines - one ready to take over from the first - with far
> fewer services running.
combining wiht your other post, be careful when and why your "backup"
machine will take over for the first machine ...
- if they hacked your first machine, they will also be trying
to hack the 2hd (backup) machine too
- if both machines are identical in hw and apps that;s installed,
than the 2nd box will also be rm -rf'd
- if someone takes down my machines.. i want it to stay down, and
play possom .. till somebody knowledgable takes a look at it
and can explain why it went down and how and why
- if it is critical that machines have to stay up, one should have
the budget ( time, $$$ and resources ) for "high availability"
and not just hot-swap 2 machines for failover
- load balancing is better, since you know all machines
is up and working ... and in sync ( data-wise ) with each other
- even if its 3x 586 ( something cheaper and fast enough ) is
still better than 1 superfast/expensive P4 box if you always
want to be online ...
- i'd definitely use different hw and different patch levels
of distro and apps ... so that the machines will not fall
for the same cracker's tricks
> > http://www.debian.org/doc/manuals/securing-debian-howto/
> will read in detail!
and if you have more things to add to the list ... i'm sure
they'd be looking for comments ( good or bad )
> a second machine is set up ready to take over.
see comments above
> would like to do this - but i also need to be able to access the server from
> my laptop which connects over 3G - i.e. different IP address every time.
the ip# that you will be at will be a limited choice ... not the
"whole world" .. just allow that smaller world ( ip# ranger of the
other isp ) than the whole big "everybody and anybody"
> now been made aware of this i'll not be using internet cafes again!!!!
one usually worries after the fact :-)
and is always a convenience vs security ...
> i tend to use gpw or pwgen to create all passwords - so they shouldn't be
> too bad.
in which case, as you stated elsewhere, postits should be fine,
since all employee's and people in/near the pc should be trustable
> but running the password checkers has to be done as you say.
doesn't hurt when time is available .. always double check things when
> i'm a programmer by training but finding that clients need reliable managed
> servers. so i'm trying to do two jobs at the same time - set up and manage
> servers - and write code to pay the bills!
that's probably aplies to everybody :-)
> debian has really helped so far - my original server ran for 4 years before
> it was hacked - and that was with me installing loads of stuff and not
> really doing much RE security.
that's a damn good track history for 4yrs..
> hopefully i can be more proactive now and keep on top of the security issues
tough job to do.. ez to say .. :-0