[svlug] Need help with diagnosing compromised Linux system

John Conover conover at rahul.net
Fri Apr 22 12:20:08 PDT 2005

Previous message: [svlug] Need help with diagnosing compromised Linux system
Next message: [svlug] Need help with diagnosing compromised Linux system
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Brian J. Tarricone writes:
> 
> John Conover wrote:
> > M. A. Sridhar writes:
> >
> >>As you folks have suggested, I will migrate the system to one of the newer
> >>Debian-based distros.
> > 
> > IMHO, that's good advice.
> > 
> > Don't forget that the live CD versions of Debian, (Knoppix, etc.,)
> > offer protection against root kits, (there is no place for an I-Vandal
> > to write anything,) and make really great robust servers/gateways, (as
> > long as the data is static.)
> 
> I tend to be somewhat skeptical about the idea of using a liveCD distro
> as a server/firewall/gateway.  On one hand, it's great: if something bad
> happens, like an intrusion, just reboot the box and you can be sure that
> all the system binaries are clean and unmodified.
> 
> However, it seems to me that this encourages laziness where security is
> concerned.  If you have a custom setup built off a stock liveCD, then
> every time there's a security update in a package you're running on the
> liveCD box, you have to create a new liveCD.  I'm not really sure how
> easy/painful this is, but I'd find it hard to believe that it's as easy
> as running 'apt-get upgrade' or whatever, and then restarting the
> affected service.  So I'd get the feeling that many people wouldn't
> bother to patch security holes on a liveCD firewall.  And while it's
> easy to 'refresh' the system, there's also time for an attacker to mess
> around on your internal network, and the vulnerability is still there to
> be exploited again (perhaps by the same attacker).
> 
> Then again, I could be totally wrong: maybe it's trivial to generate a
> patched/updated liveCD, even with customisations, and most people that
> go this route do this on a regular basis.  Feel free to correct me if
> that's the case.
>

Its fairly easy:

    http://www.johncon.com/john/knoppix/

and click on the startremaster and finishremaster scripts; use
apt-get, or whatever, in between the two scripts. CoyoteLinux is even
easier, (a new updated floppy is only a couple of minutes away; making
the Knoppix master is a bit more time consuming since it requires
compressing an entire CD-of course, if you don't require Mozilla,
OpenOffice, KDE, etc., on the CD, its much faster.)

Depending on your POV, of course.

          John

-- 

John Conover, conover at rahul.net, http://www.johncon.com/

Previous message: [svlug] Need help with diagnosing compromised Linux system
Next message: [svlug] Need help with diagnosing compromised Linux system
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the svlug mailing list