possible compromise or just misreading logs
bj93542 at yahoo.com
Mon Dec 8 11:30:19 PST 2003
About file integrity check (only one piece of the
puzzle, but a necessary one):
Use aide (last tripwire is yet to be updated -do not
compile-, see maintainer work).
To prevent the mentioned attacks, keep your hashes OFF
your box. To compute/verify hashes, always boot from a
secure live cd.
Downside: you have to do this at each update. To
maintain the level of security, try something like:
1. boot secure cd
2. verify the hashes by comparing to the last version
from the external source (use a log, better than
override previous hashes).
3. If ok, do the update (have your sources downloaded
locally before and verified; the FreeBSD online update
system is yet to be secured: see list discussion)
[Paranoia: 4.boot again your safe cd and recompute &
save the new hashes]
4. Recompute the new hashes and save them externally.
Add-on. You should do this offline to remove the
window of opportunity in step 3, while updating the
Hope this helps,
PS. If you have a Web server, I'd rather start by add
at least some kind of firewall and an external syslog
before thinking og the file integrity check anyway.
> Second, what are people using for intrusion
> detection? This is something I
> have thought about but never really thought I
> needed until now.
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
More information about the freebsd-security