Re: Hard Disk Failure
On 2/27/06, Jeff Kinz [EMAIL PROTECTED] wrote: Don't you even want to know about the secretary who lost her job for moving her phone? :-( I was assuming that was a reference to EMSEC (TEMPEST). Did I guess wrong? -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Deployment
Hi everybody (Hi Dr. Nick!), As Bruce rightly points out, time is running short. The server now known as liberty appears to be operating okay and nobody's screamed in pain yet, so I guess we can use the existing install as is if we have to. If anyone wants major changes in system configuration, speak now. What do we need to get done before we install it at the ISP, and thus release physical control of and access to the box? - BIOS password - Disable boot from non-HD in BIOS - Boot loader password and restrictions - Strong root password (currently non-trivial but still too easy) - Confirm RAID boot works - Any firewall hardening? - Tripwire/etc (filesystem IDS)? - PortSentry or the like? Anything else? -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Pre-deployment security (Tripwire, etc.)
Hi all, A good thing to do would be to use Tripwire or similar to build a known good database of file signatures prior to deployment. When it comes to intrusion detection and compromise recovery, this is the only way to be sure. I did some work with Tripwire and alternatives a few years ago, although I haven't touched it recently. Anyone want to toss out alternatives/suggestions/best practices/etc? -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Deployment
On Feb 27, 2006, at 10:53, Ben Scott wrote: - BIOS password - Disable boot from non-HD in BIOS - Boot loader password and restrictions I haven't worked with MV before, so * are these MV requests? * would MV hit a reset button and choose a kernel if we got into a bind? The theory being, let's not secure the box such that someone has to drive in if a kernel update goes bad and there's another option. Assuming MV has access control to their server room, backups and auditing may be better than securing against physical attack. The determined attacker can always just steal a RAID drive. -Bill - Bill McGonigle, Owner Work: 603.448.4440 BFC Computing, LLC Home: 603.448.1668 [EMAIL PROTECTED] Cell: 603.252.2606 http://www.bfccomputing.com/Page: 603.442.1833 Blog: http://blog.bfccomputing.com/ VCard: http://bfccomputing.com/vcard/bill.vcf ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Pre-deployment security (Tripwire, etc.)
On Mon, 2006-02-27 at 10:57 -0500, Ben Scott wrote: Hi all, A good thing to do would be to use Tripwire or similar to build a known good database of file signatures prior to deployment. When it comes to intrusion detection and compromise recovery, this is the only way to be sure. I did some work with Tripwire and alternatives a few years ago, although I haven't touched it recently. Anyone want to toss out alternatives/suggestions/best practices/etc? I would recommend ftimes as an alternative to tripwire. It captures quite a lot of information for both windows and unix file systems. Here's an example execution. The commands below collect all file system information for the /tmp directory and send the output to a file. # ftimes --mapauto all -l 6 /tmp /tmp/baseline.map # ftimes --mapauto all -l 6 /tmp /tmp/snapshot.map Here's what the baseline.map file looks like, the pipe character is the delimiter. # head -3 /tmp/baseline.map name|dev|inode|mode|nlink|uid|gid|rdev|atime|mtime|ctime|size|magic|md5 /tmp/.snap|1040|3|40775|2|0|5|3016|2006-02-21 08:05:29|2006-01-20 14:55:58|2006-01-20 14:55:58|512||DIRECTORY /tmp/err|1040|5|100644|1|0|0|3024|2006-02-23 16:27:07|2005-07-09 00:30:26|2005-07-09 00:30:26|2698||6decb5604954792a16e0cdd22ff71cb5 It's trivial to compare a baseline and snapshot as shown with the command below. The results follow the command which shows that /tmp/snapshot.map is a new file (N), and the /tmp directory and /tmp/baseline.map files have changed (C). # ftimes --compare all-atime-magic /tmp/baseline.map /tmp/snapshot.map category|name|changed|unknown C|/tmp/baseline.map|size,md5| N|/tmp/snapshot.map|| C|/tmp|mtime,ctime| You can get ftimes here: http://ftimes.sourceforge.net/FTimes/index.shtml If you have any questions on ftimes, you can email me directly. I support and contribute to the project. --- Andy ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Pre-deployment security (Tripwire, etc.)
On Mon, 27 Feb 2006 10:57:02 -0500 Ben Scott [EMAIL PROTECTED] wrote: I did some work with Tripwire and alternatives a few years ago, although I haven't touched it recently. Anyone want to toss out alternatives/suggestions/best practices/etc? As one who does not do this stuff as a day job, but who worries , I found Tripwire and Snort to be a good combo. Of course you need to have reports send to you and then you need to read the reports and think about what you see in the reports. Ed Lawson ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Host-based intrusion detection (was Pre-deployment security)
On Monday 27 February 2006 11:16 am, Bair,Paul A. wrote: If you have any questions on ftimes, you can email me directly. I support and contribute to the project. I've always used AIDE myself. I remember looking into it a few years ago and found it to be preferable at least to Tripwire, though I understand that Tripwire has a few admin GUIs that make it more worthwhile if you want to go commercial. I'm curious what you think though if you're contributing to a project in this space. How familiar are you with the other competing projects and what each has in terms of strengths/weaknesses. I've never heard of ftimes, but am curious about it and others, if you'd care to expound a bit. -Neil ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Deployment
Crap! This was supposed to go to a different list. I, for one, found it useful. md -- Jon maddog Hall Executive Director Linux International(R) email: [EMAIL PROTECTED] 80 Amherst St. Voice: +1.603.672.4557 Amherst, N.H. 03031-3032 U.S.A. WWW: http://www.li.org Board Member: Uniforum Association, USENIX Association (R)Linux is a registered trademark of Linus Torvalds in several countries. (R)Linux International is a registered trademark in the USA used pursuant to a license from Linux Mark Institute, authorized licensor of Linus Torvalds, owner of the Linux trademark on a worldwide basis (R)UNIX is a registered trademark of The Open Group in the USA and other countries. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Pre-deployment security (Tripwire, etc.)
I did some work with Tripwire and alternatives a few years ago, although I haven't touched it recently. Anyone want to toss out alternatives/suggestions/best practices/etc? The first thought that comes to mind is, is it overkill? Really necessary? To do tripwire or aids right it requires a fair amount of work -- and makes software updates quite a bit more difficult than simply running yum or apt-get. As I'm sure you're aware, to do tripwire or aids properly, the database has to be on read-only media. IMHO, that means burned to a CD. Doing updates on a remote box without easy physical access is going to be a PITA. Regards, . Randy -- Do you like browsing the web, independent of whatever type of computer you are talking to on the other end? Enhancements to public standard protocols is the way the WWW will be turned into a proprietary nightmare. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Deployment
On 2/27/06, Jon maddog Hall [EMAIL PROTECTED] wrote: Crap! This was supposed to go to a different list. I, for one, found it useful. Well, anyone who's interested in system administration as a spectator sport is welcome to watch: http://mail.gnhlug.org/mailman/private/gnhlug-sysadmin/ http://wiki.gnhlug.org/twiki2/bin/view/Organizational/InternetServer If you're interested in helping out, it's kind of late to contribute for initial decisions, but help with future endeavors is both welcome and needed: http://wiki.gnhlug.org/twiki2/bin/view/Organizational/ServerAnnounce -- Ben Full Contact System Administrator Scott ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
OFBiz
Has anybody deployed Open for Business? I have a client who seems like a good match for it but I'd like to hear real success/horror stories before stepping out of Theory World: http://www.ofbiz.org/ Introduction: What is OFBiz? The Open For Business Project is an open source enterprise automation software project licensed under the MIT Open Source License. By open source enterprise automation we mean: Open Source ERP, Open Source CRM, Open Source E-Business / E-Commerce, Open Source SCM, Open Source MRP, Open Source CMMS/EAM, and so on. -Bill - Bill McGonigle, Owner Work: 603.448.4440 BFC Computing, LLC Home: 603.448.1668 [EMAIL PROTECTED] Cell: 603.252.2606 http://www.bfccomputing.com/Page: 603.442.1833 Blog: http://blog.bfccomputing.com/ VCard: http://bfccomputing.com/vcard/bill.vcf ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Host-based intrusion detection (was Pre-deployment security)
On Mon, 2006-02-27 at 12:35 -0500, Neil Schelly wrote: On Monday 27 February 2006 11:16 am, Bair,Paul A. wrote: If you have any questions on ftimes, you can email me directly. I support and contribute to the project. I've always used AIDE myself. I remember looking into it a few years ago and found it to be preferable at least to Tripwire, though I understand that Tripwire has a few admin GUIs that make it more worthwhile if you want to go commercial. I'm curious what you think though if you're contributing to a project in this space. How familiar are you with the other competing projects and what each has in terms of strengths/weaknesses. I've never heard of ftimes, but am curious about it and others, if you'd care to expound a bit. -Neil Unfortunately, I'm not a great resource for comparing these tools and I also try not to bash other tools. That said, I use ftimes for these reasons: - ftimes is free - there are several recipes to help you deal with ftimes data: http://ftimes.sourceforge.net/FTimes/Cookbook.shtml - ftimes produces nice delimited output, that is easily importable to a db. I'm not sure if the tripwire output can be parsed that easily. - ftimes has a 'dig' mode which allows me to search an entire drive for one or more regular expressions. This makes it nice to search for known trojan signatures, or IP addresses, etc. - ftimes has a great 'compare' mode that allows you to compare any fields it collects. So if you only want to see files who's md5's changed, you would execute ftimes like this: # ftimes --compare none+md5 baseline.map snapshot.map - ftimes works on unix and windows (and it finds Alternate data streams in windows) - ftimes url-encodes non-printable characters in the output file which is very handy when dealing with wacky named files. Malicious programs tend to create unusually named files. - while i don't use it often, ftimes also integrates the unix file magic when scanning files. So, this helps identify the file type quickly. - ftimes has a test harness used to validate the tool (http://cvs.sourceforge.net/viewcvs.py/ftimes/ftimes/tests/) Later, Andy ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Deployment
[EMAIL PROTECTED] said: Well, anyone who's interested in system administration as a spectator sport is welcome to watch: http://mail.gnhlug.org/mailman/private/gnhlug-sysadmin/ This required a login name and password, and going there is out of band for me. http://mail.gnhlug.org/mailman/private/gnhlug-sysadmin/ I found this interesting, but specific to a particular need, whereas your initial question, and the answers, were more general. I would would not mind a more open discussion to the discuss mailing list about the technical issues of what type of security and access should happen in a rack-mount, remote system, keeping the tender issues of whether the machine should be named liberty or moose to a smaller, more impassioned group. I feel more along the same lines as the guy who said: [EMAIL PROTECTED] said: Benefits of a group approach: * We have few people who know everything that we need * We have few people, period * Learning experience for those involved * Knowledge resource for others who are interested * Demonstration of the power of Linux * Transparency of GNHLUG operations Ignoring the first two bullets, the last four are what the discuss list is all about. md -- Jon maddog Hall Executive Director Linux International(R) email: [EMAIL PROTECTED] 80 Amherst St. Voice: +1.603.672.4557 Amherst, N.H. 03031-3032 U.S.A. WWW: http://www.li.org Board Member: Uniforum Association, USENIX Association (R)Linux is a registered trademark of Linus Torvalds in several countries. (R)Linux International is a registered trademark in the USA used pursuant to a license from Linux Mark Institute, authorized licensor of Linus Torvalds, owner of the Linux trademark on a worldwide basis (R)UNIX is a registered trademark of The Open Group in the USA and other countries. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Deployment
Bill McGonigle wrote: I haven't worked with MV before, so * would MV hit a reset button and choose a kernel if we got into a bind? Not speaking for MV, but being a MV customer for many years, the answer has been yes. I have had them do just that for us in an emergency (as well as other helpful things, such as inserting a boot CD, or even hooking up a monitor and reading me what was on the screen). Now that I'm less than 10 minutes away from MV, it's easy to gain access 24x7 with my security card, so I haven't needed that sort of help from them in awhile. -- Dan Jenkins ([EMAIL PROTECTED]) Rastech Inc., Bedford, NH, USA --- 1-603-206-9951 *** Technical Support for over a Quarter Century ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Unkillable processes?
Jerry Feldman [EMAIL PROTECTED] writes: On Sat, 25 Feb 2006 02:36:01 -0500 [EMAIL PROTECTED] wrote: When I encounter processes which are unresponsive to kill -9, I find that this generally works: runlevel # say the current runlevel is 3 telinit 1 telinit 3 This will almost always work, especially with zombie processes. What you are doing is transitioning into single-user mode. Ahm yeah, that's not usually an option on a production server :) Then of course going to run level 6 tends to cure all ills :-) Yes, yes it does. I usually try to find what the problem is using ps and lsof and a variety of other tricks to fix things before trying runlevel 6. On a production system, it's sometimes better to just leave the system alone and wait if it's not causing any major problems, as a reboot is often more disruptive than anything else. -- Seeya, Paul ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Bypassing DNS?
Ben Scott [EMAIL PROTECTED] writes: On 2/23/06, Paul Lussier [EMAIL PROTECTED] wrote: If you want more immediate response, I would suggest running a local instance of BIND as a caching server. Probably not. This is for an embedded system, for which the desire is a little complexity as possible. Configuring a caching name server would a significant layer of complexity for which our support people are not qualified to deal with. You really think so? A caching-only nameserver requires no configuration with BIND, about all you have to do is install it. You might want to pre-configure a restriction that it only listens to the localhost, but that config file would be the same everywhere. Even if you wanted to configure forwarders, you could do that with a simple included file. What's the big deal? If you're worried about footprint, DJB's tinydns caching-only resolver is, well, pretty tiny. What I'm concerned about is the number of packages listed dependencies for the package which will have to be dragged in, the addition of config files, the amount of additional testing required for adding this package and it's config files, etc. This isn't just a matter of adding a single package and tweaking a file once. This is about drastically changing the makeup of a whole product and the manpower behind delivering said product. I'm not saying it's not the right choice, just that a) it's a lot more than just doing it b) it's not necessarilly my call, c) people with less technical understanding than engineers are the ones requiring justification and who ultimately control the expenditure of the required resources (i.e. my or other's time). -- Seeya, Paul ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss