Re: HELP, my Debian Server was hacked!
On Don, Apr 24, 2003 at 11:19:34 +0200, Mauro Chiarugi wrote: Il Tue, 22 Apr 2003 17:48:23 -0500 (CDT) David Ehle sì che favelando sibillò: nightly apt-get update apt-get upgrade But if it asks human interaction?? How can i do?? from the apt-get manual page: [...] -y --yes --assume-yes Automatic yes to prompts; assume yes as answer to all prompts and run non-interactively. If an undesirable situation, such as changing a held package or removing an essential package occurs then apt-get will abort. Configuration Item: APT::Get::Assume- Yes. [...] be sure to also dpkg-reconfigure debconf and set it to not ask trivial questions. cron-apt is a package to automate apt-get handling via cron. it could assist you in setting up automatic security upgrades. - regards, turrican
Re: Root is God? (was: Mutt tmp files)
On Son, Nov 18, 2001 at 05:08:14 +0100, martin f krafft wrote: excellent. you know what i did: i just remove the root:0:... line from /etc/passwd and /etc/shadow. now i can't be root. that must be perfect security. yeah! before you shout, think twice. this is READ-only on my system. you don't really understand it, right? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Root is God? (was: Mutt tmp files)
On Son, Nov 18, 2001 at 05:08:14 +0100, martin f krafft wrote: excellent. you know what i did: i just remove the root:0:... line from /etc/passwd and /etc/shadow. now i can't be root. that must be perfect security. yeah! before you shout, think twice. this is READ-only on my system. you don't really understand it, right?
Re: Root is God? (was: Mutt tmp files)
On Son, Nov 18, 2001 at 05:06:21 +0100, martin f krafft wrote: thanks, you just made me laugh! you set lamer detector to orange.
Re: Root is God? (was: Mutt tmp files)
On Fre, Nov 16, 2001 at 04:13:16AM -0900, Ethan Benson wrote: Root is God. Anything you do on the system is potentially visible to root. this is, with the right patches applied, not true. What's about rsbac? Are there other strategies against root available? root usually has physical access to the hardware anyway. but root usually also does have remote access. take a look at http://www.lids.org LIDS. this is a kernel patch to seperate root from the kernel (a new level of security) by having capability and mandatory access control list support in your kernel. you can very fine tune the setup. for a real linux multi-user system, it's the perfect secruity patch. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Root is God? (was: Mutt tmp files)
On Fre, Nov 16, 2001 at 02:58:48PM +0100, Ralf Dreibrodt wrote: Hi, hi there, Root is God. Anything you do on the system is potentially visible to root. this is, with the right patches applied, not true. well, i thought this is the definition of root. no. with LIDS you can protect files and syscalls even from root. in my setup, root cannot even write to his own home directory. i wanted to post something about lids, but then i thought, it doesn't make sense in this case. i think it does make sense. now we have the case, that someone does not trust the root user. this is the case with a LIDS setup. when there are several systemadministrators, does is really make sense to install lids to have the possibility to give other (untrusted) users the root-pw? with a carefully implemented LIDS, this is possible. my root user can't write to /usr/*, doesn't have any special syscall access to change network and firewall settings, can't SETUID/SETGID and is really locked like a normal user etc. but... root in this setup is useless. you can't do anything that looks like administration. you can run the daemons that need root access, but they're limited and can't do the full root stuff root usually does. LIDS basically does protect the kernel from root. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Root is God? (was: Mutt tmp files)
On Fre, Nov 16, 2001 at 08:23:27AM -0800, Micah Anderson wrote: No, you can't. No matter how you cut it, root can install a new kernel, sans LIDS and write to his/her home dir. how? replace /boot? this is DENY in my setup. access lilo.conf oder lilo binary? DENY. how do you wanna replace system binaries when LIDS is activated and the memory and any critical file/dir is protected? you can't shutdown or reboot the host, whithout proper auth. Nothing can protect the kernel from root if root can replace the kernel. you can't do this in LIDS in a properly setup of LIDS. Sure you may have /boot mounted read-only, but that is a simple remount, no, it's not. it's not mounted, it's DENIed by the kernel. every access on this directory is blocked by the kernel. before anything further happen's. remount or mount ist blocked by IIRC by CAP_SYS_ADMIN. an actived LIDS, you can't mount or umount anything. even as root. everything is blocked. or boot into single user mode, how? you can't change runlevels. once sealed, it will remain until next reboot, when it get's sealed in single user mode. or put the kernel somewhere else, where? in a protected filesystem? in /tmp? how do you tell the loader to access this file? it's all blocked. or physically put in a different harddrive. $ when i'm sitting in honolulu and having a drink? when there's no physical security, there's no security at all. use crypo filesystems to secure storage. There is no way, nor any reason why, to setup a system in such a way that the maintainer of the system cannot maintain it. maintainer is someone else. root is there for serving the daemons. administrating the machine is the next security level and this time in the kernel (to deactivate it). the interface is clean. You cannot completely lock out root, no, you can't. but you can protect your system from root. for if you do, it is no longer root. of course it's root. who else should it be? but he can't no longer access all the interfaces with full rights. a properly configured LIDS is secure from root abuse. Can root physically access the machine? If not, then there is someone else who would be root. i don't care. i can seal LIDS that you can only administrate your machine from the console. it doesn't work any longer over remote links. Thats like saying root doesn't have the root password. It doesn't matter, root can change the root password. this is a new way of thinking. root is there for serving purposes. with LIDS, you're sealing the kernel to not accept potentially malicious input from root. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Root is God? (was: Mutt tmp files)
On Fre, Nov 16, 2001 at 05:48:11PM +0100, Ralf Dreibrodt wrote: you have just another definition of root. no. we don't have any user concept there. you mean the user with the id 0. this user is really not able to do this. but root after my definition can hit the reset-button, put in a cdrom and boot from the cdrom. root does also have access to a remote link. so does the attacker. the linux system doesn't have any mean of whom exactly is changing the cdrom. there's an abstraction layer to identify you with, typically, a password in the system. this stuff is stored on easy-to-modificate media. you must have a proection in the kernel in a secure environment and even then it's not secure. as long as you booted the normal way. of course. but, how dou you wanna change it? btw: is there anything similar to the international kernel patch for linux 2.4.x? dunno. openwall and stealth patch also don't work on 2.4.x... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Root is God? (was: Mutt tmp files)
On Fre, Nov 16, 2001 at 04:13:16AM -0900, Ethan Benson wrote: Root is God. Anything you do on the system is potentially visible to root. this is, with the right patches applied, not true. What's about rsbac? Are there other strategies against root available? root usually has physical access to the hardware anyway. but root usually also does have remote access. take a look at http://www.lids.org LIDS. this is a kernel patch to seperate root from the kernel (a new level of security) by having capability and mandatory access control list support in your kernel. you can very fine tune the setup. for a real linux multi-user system, it's the perfect secruity patch.
Re: Root is God? (was: Mutt tmp files)
On Fre, Nov 16, 2001 at 02:58:48PM +0100, Ralf Dreibrodt wrote: Hi, hi there, Root is God. Anything you do on the system is potentially visible to root. this is, with the right patches applied, not true. well, i thought this is the definition of root. no. with LIDS you can protect files and syscalls even from root. in my setup, root cannot even write to his own home directory. i wanted to post something about lids, but then i thought, it doesn't make sense in this case. i think it does make sense. now we have the case, that someone does not trust the root user. this is the case with a LIDS setup. when there are several systemadministrators, does is really make sense to install lids to have the possibility to give other (untrusted) users the root-pw? with a carefully implemented LIDS, this is possible. my root user can't write to /usr/*, doesn't have any special syscall access to change network and firewall settings, can't SETUID/SETGID and is really locked like a normal user etc. but... root in this setup is useless. you can't do anything that looks like administration. you can run the daemons that need root access, but they're limited and can't do the full root stuff root usually does. LIDS basically does protect the kernel from root.
Re: Root is God? (was: Mutt tmp files)
On Fre, Nov 16, 2001 at 08:23:27AM -0800, Micah Anderson wrote: No, you can't. No matter how you cut it, root can install a new kernel, sans LIDS and write to his/her home dir. how? replace /boot? this is DENY in my setup. access lilo.conf oder lilo binary? DENY. how do you wanna replace system binaries when LIDS is activated and the memory and any critical file/dir is protected? you can't shutdown or reboot the host, whithout proper auth. Nothing can protect the kernel from root if root can replace the kernel. you can't do this in LIDS in a properly setup of LIDS. Sure you may have /boot mounted read-only, but that is a simple remount, no, it's not. it's not mounted, it's DENIed by the kernel. every access on this directory is blocked by the kernel. before anything further happen's. remount or mount ist blocked by IIRC by CAP_SYS_ADMIN. an actived LIDS, you can't mount or umount anything. even as root. everything is blocked. or boot into single user mode, how? you can't change runlevels. once sealed, it will remain until next reboot, when it get's sealed in single user mode. or put the kernel somewhere else, where? in a protected filesystem? in /tmp? how do you tell the loader to access this file? it's all blocked. or physically put in a different harddrive. $ when i'm sitting in honolulu and having a drink? when there's no physical security, there's no security at all. use crypo filesystems to secure storage. There is no way, nor any reason why, to setup a system in such a way that the maintainer of the system cannot maintain it. maintainer is someone else. root is there for serving the daemons. administrating the machine is the next security level and this time in the kernel (to deactivate it). the interface is clean. You cannot completely lock out root, no, you can't. but you can protect your system from root. for if you do, it is no longer root. of course it's root. who else should it be? but he can't no longer access all the interfaces with full rights. a properly configured LIDS is secure from root abuse. Can root physically access the machine? If not, then there is someone else who would be root. i don't care. i can seal LIDS that you can only administrate your machine from the console. it doesn't work any longer over remote links. Thats like saying root doesn't have the root password. It doesn't matter, root can change the root password. this is a new way of thinking. root is there for serving purposes. with LIDS, you're sealing the kernel to not accept potentially malicious input from root.
Re: Root is God? (was: Mutt tmp files)
On Fre, Nov 16, 2001 at 05:48:11PM +0100, Ralf Dreibrodt wrote: you have just another definition of root. no. we don't have any user concept there. you mean the user with the id 0. this user is really not able to do this. but root after my definition can hit the reset-button, put in a cdrom and boot from the cdrom. root does also have access to a remote link. so does the attacker. the linux system doesn't have any mean of whom exactly is changing the cdrom. there's an abstraction layer to identify you with, typically, a password in the system. this stuff is stored on easy-to-modificate media. you must have a proection in the kernel in a secure environment and even then it's not secure. as long as you booted the normal way. of course. but, how dou you wanna change it? btw: is there anything similar to the international kernel patch for linux 2.4.x? dunno. openwall and stealth patch also don't work on 2.4.x...
Re: IDS
On Die, Nov 06, 2001 at 07:52:08 +0100, Administrator wrote: Hi, re, does anybody can tell me where can I get a Instrusion Detection System's base? I need the signatures of attack... Try this: http://www.lids.org/ LIDS is not a NIDS as it sounds. LIDS is capability and mandatory ACLs support in a linux multi-user environment. there are pre-configured signatures for a multi-user environment, but not signatures for network based attacks. get snort from http://www.snort.org and the arachnids patterns from http://www.whitehats.com for a network IDS with signatures for remote attacks (with some basic knowledge, it's easy to understand).
Re: IDS
On Fre, Feb 09, 2001 at 03:59:02 +0100, NDSoftware wrote: Where i can find a good IDS for Debian ? take a look at snort and the corresponding homepage. NFR isn't yet packaged. -- "Mine! Mine! It's all mine!" -- Daffy Duck -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: IDS
On Fre, Feb 09, 2001 at 03:59:02 +0100, NDSoftware wrote: Where i can find a good IDS for Debian ? take a look at snort and the corresponding homepage. NFR isn't yet packaged. -- Mine! Mine! It's all mine! -- Daffy Duck
