[svlug] Need help with diagnosing compromised Linux system
conover at rahul.net
Fri Apr 22 12:20:08 PDT 2005
Brian J. Tarricone writes:
> John Conover wrote:
> > M. A. Sridhar writes:
> >>As you folks have suggested, I will migrate the system to one of the newer
> >>Debian-based distros.
> > IMHO, that's good advice.
> > Don't forget that the live CD versions of Debian, (Knoppix, etc.,)
> > offer protection against root kits, (there is no place for an I-Vandal
> > to write anything,) and make really great robust servers/gateways, (as
> > long as the data is static.)
> I tend to be somewhat skeptical about the idea of using a liveCD distro
> as a server/firewall/gateway. On one hand, it's great: if something bad
> happens, like an intrusion, just reboot the box and you can be sure that
> all the system binaries are clean and unmodified.
> However, it seems to me that this encourages laziness where security is
> concerned. If you have a custom setup built off a stock liveCD, then
> every time there's a security update in a package you're running on the
> liveCD box, you have to create a new liveCD. I'm not really sure how
> easy/painful this is, but I'd find it hard to believe that it's as easy
> as running 'apt-get upgrade' or whatever, and then restarting the
> affected service. So I'd get the feeling that many people wouldn't
> bother to patch security holes on a liveCD firewall. And while it's
> easy to 'refresh' the system, there's also time for an attacker to mess
> around on your internal network, and the vulnerability is still there to
> be exploited again (perhaps by the same attacker).
> Then again, I could be totally wrong: maybe it's trivial to generate a
> patched/updated liveCD, even with customisations, and most people that
> go this route do this on a regular basis. Feel free to correct me if
> that's the case.
Its fairly easy:
and click on the startremaster and finishremaster scripts; use
apt-get, or whatever, in between the two scripts. CoyoteLinux is even
easier, (a new updated floppy is only a couple of minutes away; making
the Knoppix master is a bit more time consuming since it requires
compressing an entire CD-of course, if you don't require Mozilla,
OpenOffice, KDE, etc., on the CD, its much faster.)
Depending on your POV, of course.
John Conover, conover at rahul.net, http://www.johncon.com/
More information about the svlug