Mailinglist Archive: opensuse-security (555 mails)

[christian.burri@xxxxxxxxxx]

mmmhkay

let me add my babbling =) IMHO, one of the best solutions to have *good*
security on a box is someone watching its logfiles and maybe have running a
network traffic analyzer. I do have a box on the internet, and I do have a
few users on it (basically, I give away shells, sometimes, for those poor
ppl that are stuck with a dialup connection), and there were few attempts
to root my box. Neverthless, every single try to root the box was defended
either by myself watching the culprit, or by my co-admin. If you have a
trustworthy coadmin that can keep an eye on your box while you cannot
(work, school, whatever..), that might be worth more then spending 100'000
bucks on the latest stateful firewall (and another 30k to train your
network engineers on it).

Also, I found it very crucial to be careful about *who is granted shell
access. If you dont run many services on your box, surely no portmapper or
suchlike, then your chance of getting rooted has already reduced by an
order of magnitude. Infact, almost all the root attempts I had came from
local users. The very first time one of my boxen got rooted was because I
like gave out an account. It took them dudes like 45 seconds to gain root
(rootcron.sh on a SuSE 6.2....h0h0h0!). But like, because I was using the
elite "w" command, I was instantly able to spot that there were two logins
from different IPs to the account I gave out, so a lill "shutdown",
followed by a reinstall from trusted media solved my problem ;-)

So, as for a conclusion: 1) get a trustworthy co-admin    2) be careful
about who gets shell accounts on your box


NB: I like to thank Marc from SuSE (I think it was him, correct me if Im
wrong =) for auditing the SuSE version of wu-ftpd!


Cheers

Chris Burri
jun. Systems- & Network Engineer
Synecta Informatik AG
Zwinglistrasse 3
9000 St. Gallen
Switzerland


    .-.
    /v\    L   I   N   U   X
   // \\  >Phear the Penguin<
  /(   )\
   ^^-^^