On Thu, 2002-06-13 at 20:33, Justin Coffey wrote: > > > One thing I forgot to mention in my last mail - I have seen an attacker > > be tricky enough to set up firewall rules that only allowed their > > machine to connect to their backdoor, so it wouldn't show up on a scan. > > Well, you can always fix that by replacing your kernel with a Known Good > One (tm) that has ip filtering/tables/chains/whatever disabled and no > loadable module support. I recommend canning loadable module support > anyway, on any sort of server (it's not like you're going to change the > hardware config that often...)
Yeah, I was mentioning it more as a possible scenario where a machine would show all ports filtered to a security scan, but still be open to a hacker that I was looking for ways to detect this :) As I mentioned, another way to confirm you're getting valid information would be to check for consistency of the kernel symbol table against the System.map. I have something of an aversion to rebooting a machine suspected of compromise simply because some backdoors may not start on a reboot (either by design or by accident). And honestly the chance of a compromise of this sort isn't high enough for me to lose the benefits of a single module enable kernel across all my machines. No, I may not change hardware on an individual machine all that often, but taking the entire server pool into account, I have three different SCSI drivers, three different NIC drivers, etc, etc, and that's even with the majority of our hardware being from the same vendor. Granted, priorities might be different on other people's networks. But the risk of having loadable modules enabled is fairly small so long as you keep up to date on all relevent patches, filter any and all traffic down to the bare minimum, keep machines private that don't need to be publicly accessible, and perform regular audits. Matt
