[lfs-support] LFS + Rootkits

loki loki at pancevo.rs
Sun Apr 8 11:06:50 PDT 2012


Heya,

First this is not a support request but a live story from someone 
using LFS heavily in real life situations and servers and why I would 
choose LFS before any distribution based server.
Let me introduce myself. Im into LFS since version number 3 - 4. 
Can't remember exactly anymore. A lot of water under the bridge since 
then. For the past four years I work for a governmental agency where 
I have installed some servers, all running LFS. From version 6.1 - 
6.8 (32 and 64 bit)  (DNS, WEB, MAIL and so on).
Well after years of using it one of our servers got hacked (because 
some of the users didn't pay attention to my ramblings about 
usernames and passwords) and a rootkit was installed. When I logged 
in and tried to ls I saw that ls gave me a segmentation fault error. 
After some more minutes I saw that there are some files that I didn't 
install. Then it hit me. "YOU GOT HACKED". But the services still 
worked fine. So I put up a very restrictive Iptables on the router 
for this server. Just the service could go through. After checking 
the log files I figured that the intrusion took place 5 days before 
when I had to open iptables for ssh for one of our 3rd party 
maintanance crew. So why is LFS better than distros? I made heavily 
customizations during the compilations so when the rootkit was 
applied none of the new installed apps worked. Not even ls. Because 
they were compiled for normal distros and normal shared libs which 
you can't use on custom made systems. The baseline is this, the 
intruder couldn't make any heavy damage, the services still work, the 
intruder was detected (which is very dificult with rootkits, this one 
even rkhunter didn't detect), downtime will be only the time when I 
extract the non-compromised documents to the new server which even 
will be more hardened.

So kids use LFS, it is a great tool and if you are into the business 
of servers you will learn how they function, something a distro can't 
teach you. And you don't have to rely on someone who you don't know 
that he/she did a good job securing the distro or that you missed a 
config file and your server is wide opened. LFS + BLFS is just the 
beggining, there is a whole world of tarballs on the Internet out 
there. GO MAD !!! :-)

L...




More information about the lfs-support mailing list