Re: '(no
On Sat, 15 Sep 2001, Dimitri Maziuk wrote: If you suspect your machine was r00ted, 1. Take it off the net _now_. This may be dangerous: some rootkits run a sort of heartbeat utility that detects that the box was disconnected from the net and run something nasty (i.e. rm -rf /) in that case. This is one of those very few cases in which sync'ing two or three times and then pulling the power plug may be the safest bet... just my .01 euros... Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: '(no
On Sat, 15 Sep 2001, Petro wrote: If you believe that you've been hacked, fdisk and restore from backup--if you are absolutely positive your backup is clean. Otherwise rebuild from scratch. I can easily agree with the above, emphasizing the if clause on top of it. You do not want to wipe away your computer and spend a good amount of time rebuilding it unless you _believe_ it has been rooted. That's why you unplug it (to begin with) and carefully check the contents of its hard disk(s) using a known good system, possibly using another computer altogether to do the check. THEN you wipe the compromised system away and reinstall it... Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Absolutely can't disable Keyboard-Interactive authentication in OpenSSH.
For more than six months now, I've been trying to disable Keyboard-Interactive authentication in OpenSSH. Still, ssh -v shows the following when connecting to the server: debug1: authentications that can continue: publickey,keyboard-interactive The server's sshd_config is as follows: Port 22 Protocol 2 ServerKeyBits 1024 Banner /etc/sshbanner.txt HostKey /etc/ssh/ssh_host_dsa_key KeepAlive yes PermitRootLogin yes KbdInteractiveAuthentication no PasswordAuthentication no KeyRegenerationInterval 3600 StrictModes yes SyslogFacility AUTH LogLevel INFO Subsystem sftp/usr/lib/sftp-serve Despite the fact that Keyboard-Interactive is disabled in the configuration file, the SSH server still allows Keyboard-Interactive connections. This has caused me many months of sleepless nights. May God richly bless anyone who can solve this dilemma. Thanks. - Protect yourself from spam, use http://sneakemail.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: GPG fingerprints
Then, get in touch with me by some secure means and confirm that snip I think rather that secure it might be better to say using some other means of authentication. Authentication can mean a lot of things, with the method depending on the level of security required (a phone call to quote the fingerprint may be sufficient where you would recognise the persons voice and the data being transferred is not critical), but it definitely means through a different channel. I mention this because a friend/colleague use to send his GPG public key to people via email, and then placed his key fingerprint in his .sig, in the belief that this would enhance security (not to mention his geek-cred). A five minute explanation of the principle of a man-in-the-middle attack, followed by a swift bat upside the head with a copy of Applied Cryptography seemed to do the trick, and he sheepishly removed it. This same person is now contracting out his services as, among other things, a security expert. Caveat Emptor, Steve -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: GPG fingerprints
Hi, On Mon, 17 Sep 2001 19:42:05 +1000, Steve writes: I mention this because a friend/colleague use to send his GPG public key to people via email, and then placed his key fingerprint in his .sig, in the belief that this would enhance security (not to mention his geek-cred). A five minute explanation of the principle of a man-in-the-middle attack, followed by a swift bat upside the head with a copy of Applied Cryptography seemed to do the trick, and he sheepishly removed it. I think that many people put their fingerprint in their e-mail signature to exploit the Internet's archiving capability. If I e-mail you my public key, you should not pay attention to the fingerprint in the signature of that e-mail. However, you can go to dejanews.com, or the debian mailing list archives, or your own saved mail folder, and notice that every single message from me has the same GPG fingerprint, even the messages that are months or years old. From that, you can develop a degree of trust. --- Wade PS: Don't bother looking for the GPG fingerprint, I don't bother with GPG yet. -- /\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign| Wade Richards --- [EMAIL PROTECTED] X - NO HTML/RTF in e-mail | Fight SPAM! Join CAUCE. / \ - NO Word docs in e-mail | See http://www.cauce.org/ for details. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: GPG fingerprints
Wade == Wade Richards [EMAIL PROTECTED] writes: Wade I think that many people put their fingerprint in their e-mail Wade signature to exploit the Internet's archiving capability. If I Wade e-mail you my public key, you should not pay attention to the Wade fingerprint in the signature of that e-mail. However, you can go Wade to dejanews.com, or the debian mailing list archives, or your own Wade saved mail folder, and notice that every single message from me Wade has the same GPG fingerprint, even the messages that are months or Wade years old. From that, you can develop a degree of trust. I think the key (no pun intended) is to use multiple channels. My public key is available on a public keyserver. My fingerprints are pasted to all my mails which go to almost all mailing lists, and to all my newsgroup postings (and these, as you mentioned are available via http). So if someone wants to spoof my key, they would have to either - compromise groups.google.com, wwwkeys.pgp.net, lists.debian.org, various e-mail servers, etc - be very close to the person trying to get my key, so that they would be able to spoof traffic from these or - be very close to me and modify my outgoing messages and spoof network traffic when I try to verify that the keys/fingerprints have been sent correctly (which is probably pretty hard, since I have multiple network access points) On the other hand, if you send both fingerprint and gpg key via e-mail, there's just one service that needs to be attacked. Mind you, the best policy is to only fully trust keys that you can verify *in person*, or that can be verified via the web of trust, if you need to send/sign anything critical. (Speaking of which, is there anyone in the Waterloo (Canada) region who wants to sign my key? My key currently has 0 signatures (other than my self-sig).) -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: GPG fingerprints
Wade Richards [EMAIL PROTECTED] writes: A five minute explanation of the principle of a man-in-the-middle attack, followed by a swift bat upside the head with a copy of Applied Cryptography seemed to do the trick, and he sheepishly removed it. I think that many people put their fingerprint in their e-mail signature to exploit the Internet's archiving capability. If I e-mail you my public key, you should not pay attention to the fingerprint in the signature of that e-mail. However, you can go to dejanews.com, or the debian mailing list archives, or your own saved mail folder, and notice that every single message from me has the same GPG fingerprint, even the messages that are months or years old. From that, you can develop a degree of trust. Yes. A zero-trust sense of trust. The whole point of having a fingerprint is to be able to compare it out of band - eg you send me your public key, I phone you back and you have to dig out the fingerprint which I compare from the public key, which is totally defeated if someone else can dig it out of deja/google! If you want to develop a sense of trust, then the most trust you can have is that `this poster' is the same as `that poster', because their messages both validate against the same key ID (*not* fingerprint). Unless I'm well mistaken, of course... But I'd never trust a key whose fingerprint had turned up in public before. ~Tim -- It's enough that I can see the morning |[EMAIL PROTECTED] In miracles much more than I can say|http://spodzone.org.uk/ It's enough to keep me still believing | In drifting hearts so far away | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: GPG fingerprints
Tim Haynes wrote/napisa[a]/schrieb: Wade Richards [EMAIL PROTECTED] writes: A five minute explanation of the principle of a man-in-the-middle attack, followed by a swift bat upside the head with a copy of "Applied Cryptography" seemed to do the trick, and he sheepishly removed it. I think that many people put their fingerprint in their e-mail signature to exploit the Internet's archiving capability. If I e-mail you my public key, you should not pay attention to the fingerprint in the signature of that e-mail. However, you can go to dejanews.com, or the debian mailing list archives, or your own "saved mail" folder, and notice that every single message from me has the same GPG fingerprint, even the messages that are months or years old. From that, you can develop a degree of trust. Yes. A zero-trust sense of trust. The whole point of having a fingerprint is to be able to compare it out of band - eg you send me your public key, I phone you back and you have to dig out the fingerprint which I compare from the public key, which is totally defeated if someone else can dig it out of deja/google! WHAT!? Anyone who gets hold of a public key can check what fingerprint it has. There are public keyservers. There are public keys on the w3. Key fingerprint never was meant to be a secret. If you want to develop a sense of trust, then the most trust you can have is that `this poster' is the same as `that poster', because their messages both validate against the same key ID (*not* fingerprint). Unless I'm well mistaken, of course... But I'd never trust a key whose fingerprint had turned up in public before. I believe you are mistaken. Publishing fingerprint is a (weak) way to defeat MITM attacks. If someone constattly uses a key with a known fingerprint sudden change of fingerprint may may suggest MITM. Note: your method of comparing a fingerprint is weak. Fingerprint comaprition is a two way protocol. If Bob is to sign Alice's key he should read first group of fingerprint, then Alice should read the second, then Bob the third, etc. This ensures at least that Bob and Alice are talking about the same public key. Alex -- C _-=-_ H| Janusz A. Urbanowicz | ALEX3-RIPE | SF-F Framling | | * ; (_O : +-+ --+~| ! ~) ? | Pyn chc na Wschd, za Suez, gdzie jest dobrem kade zo | l_|/ A ~-=-~ O| Gdzie przykaza brak dziesiciu, a pi mona a po dno; | | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: GPG fingerprints
also sprach Tim Haynes (on Mon, 17 Sep 2001 05:05:27PM +0100): Unless I'm well mistaken, of course... But I'd never trust a key whose fingerprint had turned up in public before. that's a little ridiculous, isn't it, given that i can use my gpg to view the fingerprint of your public key, which is, uh, public. you can safely post your fingerprint everywhere, but you have to do fingerprint verification - i have to read you mine - over the phone martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck -- because light travels faster than sound, some people appear to be intelligent, until you hear them speak. PGP signature
Seeking for a Debian Security Secretary
Current problems with Debian Security have led me into reconsidering this issue which I thought about one year ago or so. Debian Security is very crucial to our users and thus should be managed properly. To help improve the situation I'm offering a very important job within the Debian project. I'd like to have somebody who will help the core Debian Security Team doing their work. This seems to be required since all members of the Security Team have other important things to do and still don't know how to fork(2) themselves. This position requires: . Discussing security problems with the Security Team, as well as with third parties. . Notifying the Security Team of incidents they haven't noticed already. . Maintaining an internal list of security incidents, both resolved and unresolved. . Reminding members of the Debian Security Team until they release an advisory or decide that Debian is not vulnerable to a particular problem.[1] . Ensure that not only packages in stable but also in the unstable distribution contain security fixes. This implies continuesly kindly reminding package maintainers, eventually also preparing releases or NMUs for unstable with help of the QA or Security Team. . Extract security patches from other vendors' security fixes for further investigation by the the Security Secretary or the Debian Security Team. . Preparing security patches together with the Debian Security Team. This is done by: . Reading and understanding bugtraq. . Monitoring[2] others distributions security advisories (at least Immunix, Trustix, EnGarde, Caldera, RedHat, SuSE, Mandrake and Conectiva, the more the better). This should be done by subscribing to other vendors security lists. . Reading and understanding mail on the private list of the Debian Security Team. Explanations: [1] From time to time the Security Team forgets about security issues. It is very time-consuming doing research for old issues, but it has to be done. [2] This could help http://www.infodrom.ffis.de/Linux/security/, but it is also not complete enough. Regards, Joey -- The good thing about standards is that there are so many to choose from. -- Andrew S. Tanenbaum PGP signature
Re: '(no
On Sat, 15 Sep 2001, Dimitri Maziuk wrote: If you suspect your machine was r00ted, 1. Take it off the net _now_. This may be dangerous: some rootkits run a sort of heartbeat utility that detects that the box was disconnected from the net and run something nasty (i.e. rm -rf /) in that case. This is one of those very few cases in which sync'ing two or three times and then pulling the power plug may be the safest bet... just my .01 euros... Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
Re: '(no
On Sat, 15 Sep 2001, Petro wrote: If you believe that you've been hacked, fdisk and restore from backup--if you are absolutely positive your backup is clean. Otherwise rebuild from scratch. I can easily agree with the above, emphasizing the if clause on top of it. You do not want to wipe away your computer and spend a good amount of time rebuilding it unless you _believe_ it has been rooted. That's why you unplug it (to begin with) and carefully check the contents of its hard disk(s) using a known good system, possibly using another computer altogether to do the check. THEN you wipe the compromised system away and reinstall it... Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 216 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
Absolutely can't disable Keyboard-Interactive authentication in OpenSSH.
For more than six months now, I've been trying to disable Keyboard-Interactive authentication in OpenSSH. Still, ssh -v shows the following when connecting to the server: debug1: authentications that can continue: publickey,keyboard-interactive The server's sshd_config is as follows: Port 22 Protocol 2 ServerKeyBits 1024 Banner /etc/sshbanner.txt HostKey /etc/ssh/ssh_host_dsa_key KeepAlive yes PermitRootLogin yes KbdInteractiveAuthentication no PasswordAuthentication no KeyRegenerationInterval 3600 StrictModes yes SyslogFacility AUTH LogLevel INFO Subsystem sftp/usr/lib/sftp-serve Despite the fact that Keyboard-Interactive is disabled in the configuration file, the SSH server still allows Keyboard-Interactive connections. This has caused me many months of sleepless nights. May God richly bless anyone who can solve this dilemma. Thanks. - Protect yourself from spam, use http://sneakemail.com
Re: GPG fingerprints
Then, get in touch with me by some secure means and confirm that snip I think rather that secure it might be better to say using some other means of authentication. Authentication can mean a lot of things, with the method depending on the level of security required (a phone call to quote the fingerprint may be sufficient where you would recognise the persons voice and the data being transferred is not critical), but it definitely means through a different channel. I mention this because a friend/colleague use to send his GPG public key to people via email, and then placed his key fingerprint in his .sig, in the belief that this would enhance security (not to mention his geek-cred). A five minute explanation of the principle of a man-in-the-middle attack, followed by a swift bat upside the head with a copy of Applied Cryptography seemed to do the trick, and he sheepishly removed it. This same person is now contracting out his services as, among other things, a security expert. Caveat Emptor, Steve
Seeking for a Debian Security Secretary
Current problems with Debian Security have led me into reconsidering this issue which I thought about one year ago or so. Debian Security is very crucial to our users and thus should be managed properly. To help improve the situation I'm offering a very important job within the Debian project. I'd like to have somebody who will help the core Debian Security Team doing their work. This seems to be required since all members of the Security Team have other important things to do and still don't know how to fork(2) themselves. This position requires: . Discussing security problems with the Security Team, as well as with third parties. . Notifying the Security Team of incidents they haven't noticed already. . Maintaining an internal list of security incidents, both resolved and unresolved. . Reminding members of the Debian Security Team until they release an advisory or decide that Debian is not vulnerable to a particular problem.[1] . Ensure that not only packages in stable but also in the unstable distribution contain security fixes. This implies continuesly kindly reminding package maintainers, eventually also preparing releases or NMUs for unstable with help of the QA or Security Team. . Extract security patches from other vendors' security fixes for further investigation by the the Security Secretary or the Debian Security Team. . Preparing security patches together with the Debian Security Team. This is done by: . Reading and understanding bugtraq. . Monitoring[2] others distributions security advisories (at least Immunix, Trustix, EnGarde, Caldera, RedHat, SuSE, Mandrake and Conectiva, the more the better). This should be done by subscribing to other vendors security lists. . Reading and understanding mail on the private list of the Debian Security Team. Explanations: [1] From time to time the Security Team forgets about security issues. It is very time-consuming doing research for old issues, but it has to be done. [2] This could help http://www.infodrom.ffis.de/Linux/security/, but it is also not complete enough. Regards, Joey -- The good thing about standards is that there are so many to choose from. -- Andrew S. Tanenbaum pgp4N2xrmRa2V.pgp Description: PGP signature
Re: GPG fingerprints
Hi, On Mon, 17 Sep 2001 19:42:05 +1000, Steve writes: I mention this because a friend/colleague use to send his GPG public key to people via email, and then placed his key fingerprint in his .sig, in the belief that this would enhance security (not to mention his geek-cred). A five minute explanation of the principle of a man-in-the-middle attack, followed by a swift bat upside the head with a copy of Applied Cryptography seemed to do the trick, and he sheepishly removed it. I think that many people put their fingerprint in their e-mail signature to exploit the Internet's archiving capability. If I e-mail you my public key, you should not pay attention to the fingerprint in the signature of that e-mail. However, you can go to dejanews.com, or the debian mailing list archives, or your own saved mail folder, and notice that every single message from me has the same GPG fingerprint, even the messages that are months or years old. From that, you can develop a degree of trust. --- Wade PS: Don't bother looking for the GPG fingerprint, I don't bother with GPG yet. -- /\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign| Wade Richards --- [EMAIL PROTECTED] X - NO HTML/RTF in e-mail | Fight SPAM! Join CAUCE. / \ - NO Word docs in e-mail | See http://www.cauce.org/ for details.
Re: GPG fingerprints
Wade == Wade Richards [EMAIL PROTECTED] writes: Wade I think that many people put their fingerprint in their e-mail Wade signature to exploit the Internet's archiving capability. If I Wade e-mail you my public key, you should not pay attention to the Wade fingerprint in the signature of that e-mail. However, you can go Wade to dejanews.com, or the debian mailing list archives, or your own Wade saved mail folder, and notice that every single message from me Wade has the same GPG fingerprint, even the messages that are months or Wade years old. From that, you can develop a degree of trust. I think the key (no pun intended) is to use multiple channels. My public key is available on a public keyserver. My fingerprints are pasted to all my mails which go to almost all mailing lists, and to all my newsgroup postings (and these, as you mentioned are available via http). So if someone wants to spoof my key, they would have to either - compromise groups.google.com, wwwkeys.pgp.net, lists.debian.org, various e-mail servers, etc - be very close to the person trying to get my key, so that they would be able to spoof traffic from these or - be very close to me and modify my outgoing messages and spoof network traffic when I try to verify that the keys/fingerprints have been sent correctly (which is probably pretty hard, since I have multiple network access points) On the other hand, if you send both fingerprint and gpg key via e-mail, there's just one service that needs to be attacked. Mind you, the best policy is to only fully trust keys that you can verify *in person*, or that can be verified via the web of trust, if you need to send/sign anything critical. (Speaking of which, is there anyone in the Waterloo (Canada) region who wants to sign my key? My key currently has 0 signatures (other than my self-sig).) -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me.
Re: GPG fingerprints
Wade Richards [EMAIL PROTECTED] writes: A five minute explanation of the principle of a man-in-the-middle attack, followed by a swift bat upside the head with a copy of Applied Cryptography seemed to do the trick, and he sheepishly removed it. I think that many people put their fingerprint in their e-mail signature to exploit the Internet's archiving capability. If I e-mail you my public key, you should not pay attention to the fingerprint in the signature of that e-mail. However, you can go to dejanews.com, or the debian mailing list archives, or your own saved mail folder, and notice that every single message from me has the same GPG fingerprint, even the messages that are months or years old. From that, you can develop a degree of trust. Yes. A zero-trust sense of trust. The whole point of having a fingerprint is to be able to compare it out of band - eg you send me your public key, I phone you back and you have to dig out the fingerprint which I compare from the public key, which is totally defeated if someone else can dig it out of deja/google! If you want to develop a sense of trust, then the most trust you can have is that `this poster' is the same as `that poster', because their messages both validate against the same key ID (*not* fingerprint). Unless I'm well mistaken, of course... But I'd never trust a key whose fingerprint had turned up in public before. ~Tim -- It's enough that I can see the morning |[EMAIL PROTECTED] In miracles much more than I can say|http://spodzone.org.uk/ It's enough to keep me still believing | In drifting hearts so far away |
Re: GPG fingerprints
Tim Haynes wrote/napisał[a]/schrieb: Wade Richards [EMAIL PROTECTED] writes: A five minute explanation of the principle of a man-in-the-middle attack, followed by a swift bat upside the head with a copy of Applied Cryptography seemed to do the trick, and he sheepishly removed it. I think that many people put their fingerprint in their e-mail signature to exploit the Internet's archiving capability. If I e-mail you my public key, you should not pay attention to the fingerprint in the signature of that e-mail. However, you can go to dejanews.com, or the debian mailing list archives, or your own saved mail folder, and notice that every single message from me has the same GPG fingerprint, even the messages that are months or years old. From that, you can develop a degree of trust. Yes. A zero-trust sense of trust. The whole point of having a fingerprint is to be able to compare it out of band - eg you send me your public key, I phone you back and you have to dig out the fingerprint which I compare from the public key, which is totally defeated if someone else can dig it out of deja/google! WHAT!? Anyone who gets hold of a public key can check what fingerprint it has. There are public keyservers. There are public keys on the w3. Key fingerprint never was meant to be a secret. If you want to develop a sense of trust, then the most trust you can have is that `this poster' is the same as `that poster', because their messages both validate against the same key ID (*not* fingerprint). Unless I'm well mistaken, of course... But I'd never trust a key whose fingerprint had turned up in public before. I believe you are mistaken. Publishing fingerprint is a (weak) way to defeat MITM attacks. If someone constattly uses a key with a known fingerprint sudden change of fingerprint may may suggest MITM. Note: your method of comparing a fingerprint is weak. Fingerprint comaprition is a two way protocol. If Bob is to sign Alice's key he should read first group of fingerprint, then Alice should read the second, then Bob the third, etc. This ensures at least that Bob and Alice are talking about the same public key. Alex -- C _-=-_ H| Janusz A. Urbanowicz | ALEX3-RIPE | SF-F Framling | | * ; (_O : +-+ --+~| ! ~) ? | Płynąć chcę na Wschód, za Suez, gdzie jest dobrem każde zło | l_|/ A ~-=-~ O| Gdzie przykazań brak dziesięciu, a pić można aż po dno; | |
Re: '(no
In linux.debian.security, you wrote: On Sat, 15 Sep 2001, Petro wrote: If you believe that you've been hacked, fdisk and restore from backup--if you are absolutely positive your backup is clean. Otherwise rebuild from scratch. I can easily agree with the above, emphasizing the if clause on top of it. You do not want to wipe away your computer and spend a good amount of time rebuilding it unless you _believe_ it has been rooted. That's why you unplug it (to begin with) and carefully check the contents of its hard disk(s) using a known good system, possibly using another computer altogether to do the check. THEN you wipe the compromised system away and reinstall it... I can easily agree with the above, emphasizing the if clause. ;) If you're good at hunting down r00tkits, and the server is not critical, then yes. Besides, it's a good learning experience. If you want the server back on-line ASAP, wipe and reinstall is usually faster. Dima -- Well, lusers are technically human.-- Red Drag Diva
Re: '(no
[EMAIL PROTECTED] (Dimitri Maziuk) writes: I can easily agree with the above, emphasizing the if clause on top of it. You do not want to wipe away your computer and spend a good amount of time rebuilding it unless you _believe_ it has been rooted. That's why you unplug it (to begin with) and carefully check the contents of its hard disk(s) using a known good system, possibly using another computer altogether to do the check. THEN you wipe the compromised system away and reinstall it... Bootable CDs are jolly useful for this. I can easily agree with the above, emphasizing the if clause. ;) If you're good at hunting down r00tkits, and the server is not critical, then yes. Besides, it's a good learning experience. If you want the server back on-line ASAP, wipe and reinstall is usually faster. One possible compromise, that should probably be happening anyway: take an archive copy for your forensics and/or as a last-minute backup before the wipe. That can probably be done quickly enough to fit the wipe reinstall route. ~Tim -- That morning dawn, with no regrets |[EMAIL PROTECTED] We stood in line, we laughed|http://spodzone.org.uk/ In silhouette |