Useful Security Tools Re: hack lesson?
Warren Togami
warren at togami.com
Sat Jan 12 03:24:25 PST 2002
This may be a good time to point out three useful security tools:
Tripwire - Maintains an encrypted database of your system files. Run the
tripwire checker again later and you will KNOW if a system file was replaced
or infected. Unfortunately Tripwire is difficult to setup and maintain, but
it is mostly foolproof if setup properly.
RPM Verificiation - RPM systems have a built in method of checking the
integrity of the files installed by the RPM system. Here is a little script
that will step through your installed RPM's and tell you what files have
been changed. http://www.mplug.org/archive/2001/rpmcheck.sh
Unfortunately this method of checking is more susceptible to circumvention
because a hacker or rootkit could just replace your RPM data too. This
little script is a quick and easy test, but results should NOT be trusted.
Virtual Private Servers http://www.solucorp.qc.ca/miscprj/s_context.hc
This is a NEAT kernel extension that allows you to run processes within
another security context, a virtual server within your real server. It is
possible to make your system files (nearly) hack proof with this method even
if someone was able to crack root in one of your security contexts, because
they have NO WAY of escalating their permissions further, and they can't
modify your system files and binaries. Virtual security contexts can
redirect their syslog to the main context, and tripwire can reside in the
main context. This means 100% log integrity and tripwire cannot be fooled.
VPS is perhaps the most secure thing I've seen in Linux, but unfortunately
it requires far more setup than other tools. On the bright side I can
probably run a Debian mini-installation within my Red Hat server, and use
Debian tools to upgrade the mini-contexts. The possibilities are cool.
----- Original Message -----
From: "R Scott Belford" <sctinc at mac.com>
To: "Linux & Unix Advocates & Users" <luau at list.luau.hi.net>
Sent: Saturday, January 12, 2002 12:39 AM
Subject: [luau] Re: hack lesson?
> Thanks for the tips. None of my service files in /etc/xinetd.d look
> corrupt. Everything is off that I want off and on that I want on. No
> mysterious new services (assuming ls is not compromised.) :)
> /etc/xinetd.conf looks fine. I have found hacked directories before in
> /dev. I won't spend much time looking around. I have another drive and
> will be sending this to a well convicted hacking friend to dig
> through. If there is something to use, I'll let him find it.
>
> scott
More information about the LUAU
mailing list