security

J.A. Neitzel jan.listbox at belvento.org
Sun Oct 7 10:39:24 PDT 2001


Daniel Roethlisberger wrote:
> Øyvind Repvik <mlists at netcom.no> wrote:
>> The probability of someone skilled trying to hack a system on a
>> dialupline is increasingly slim, and *if* that is to happen...
>> Well... I guess it's time to rebuild.
> 
> hmm it is not just that easy. I don't know what you have on your
> boxes, but think of GPG private keys, SSL private certs, SSH
> private keys. Even worse, you might not even notice someone broke
> in, unless you run tripwire (do you?). An intruder could replace
> your ssh client with a trojaned one (remember the apache.org break
> in?). An intruder could install a sniffer and discover your local
> passwords (is your LAN traffic all encrypted?). An intruder could
> install a DDoS node. Or hop off your box to do more dangerous
> break-ins (.mil, .gov?). Would you notice? :)
> 
> I've seen a modem dial-up box of a friend of mine being rooted in
> no time. They installed several backdoors, but mostly IRC stuff (a
> daemon, eggdrops, war-tools). Kids, judging by what they left
> behind, but it could have been much worse..
> 
> I'm not saying that a base LFS install can be remotely
> compromised. I think that the average finished LFS system is much
> more secure than the average RedHat, SuSE, Debian. But it only
> takes a single flawed client or daemon and its too late. And -if-
> it happens, it's not just going to be like "oh, ok, then I just
> rebuild". On my boxes at least, rebuilding would be the very least
> of my troubles... ;)

I think, Daniel Roethlisberger, that you have very very good points!
I always say that paranoia is good. I am ultra-paranoid wrt these
things. Are you more paranoid than I am??? ;)

Anyway, I don't do tripwire. It was to much bother for my home machine.
The good thing is though... You can basically achieve the same
objective as tripwire by following various post-LFS-installation steps
before you go off and install all the other stuff.

A quite simple way is to take an md5sum of important things. Of course,
there are paranoia steps on top of that. Where to put your new list of
files and their MD5 sum values? I have some scripts that I always run
to do this. It puts important bins off the system in an encrypted loop
file, or a cramfs, with the proper owner/permissions. This has worked
pretty well for me... BTW, that cramfs is pretty neat! =)

Using these methods, I can even merge my newly installed software into
it pretty easily. The only annoyance is when I go off and install a new
kernel and modules. Of course, I'm gonna get all sorts of warnings that
"...computed checksums did NOT match".

You know the one thing I wonder about? You know how people carry their
home directories around from old system to new system? There could be
unwanted cracker leftovers in there. So, new system could be
automatically compromised by not knowing that the old system was
compromised last year..? Hmmm...

I'll stop now =)
-- 
Jeff

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list