[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security question

On Sat, 6 Dec 2003, Scott C. Linnenbringer wrote:

> On Sat, Dec 06, 2003, at 17:27 -0800, Alvin Oga wrote: 
> > i say, if your ids does find an intruder .. game over ... too late ..
> Unless *you* don't know you're harboring an intruder...

yes... know people that had a cracker in their servers
for months and never noticed ...

they figured out something was wrong when they start
getting  spam complaints.. for spam they never sent
	- thats a guranteed IDS system that works
	if the cracker sends spam w/ your return email addy

if they got in, game is still over ... even if they are 
idling in the server, and collecting other machines .. 
and than launch the attaack to where ever they were going after
	- fairly common thing for them to do

- installing ("i'm gonna hide myself") root kits seems 
  really dumb idea since any useful ids will notice the 
  changes in the system
	- all the cracker wants to know is that the exploit worked
	on the ip# and keep track of the vulnerable
	machines and than when the time comes .. if you
	dont get caught first to go play later ..

	- so use a different ip# everyday/every hour and
	confuse um .. :-)

- imho... instead of worrying about ids..
	- i'd rather read stuff on how to minimize the damage
	the cracker can do  ...
		- if they crack one box, thats gone, but all
		other servers keeps happily chugging along
		- protect your data as much as possible )

	- allowing passwdless logins are bad idea ...
	as they can break one box and have free access
	all of the rest of your passwdless boxes

		- you should require a DIFFERENT key phrase to
		also be required to the other boxes

- lots of fun stuff to play with and think about ...

c ya

Reply to: