Root Logins (Sco Unix)

Sat Jun 2 02:29:48 PDT 2007

>From inside the gravity well of a singularity, Bill Campbell shouted:
> 
> One can further tighten this by using secure shell with tcp wrappers
> support (e.g. libwrap), restricting the IPs, networks, and/or domains that
> are permitted to access the system.

Something I do for my own machine, but which is not always viable for a
customer site.  I have a client that cannot employ IP blocking for ssh
because some of his customers are on dynamic IP.  Likewise, I've had
customers that have -employees- that are on dynamic IP.  Actually, a fellow
consultant is on a semi-dynamic IP, but it changes infrequently enough that
we just change the allow address when it changes every so many months.

There really are things to be said for static IP.  It's a bity ARIN is so
miserly about it.

> Jun 01 10:34:28 beta3 <info> sshd[16941]: Failed password for root from
> 192.168.254.225 port 280

I wrote something for a client that counts failures in that vein from every
address.  On the 10th password failure from one address, it adds an entry
to hosts.deny for the host.  No more happy cracking for them.

> As a general rule, if a machine has been cracked, one should reinstall from
> scratch.  If one is running good intrustion detection software that can
> identify changes in critical files, detect new files, and deleted files, it
> is possible to clean up a cracked system, but this requires creating the
> database for comparison before exposing the system to the world, and
> constantly monitoring for changes.

Something like The Coroner's Toolkit, from what Bill Vermillion has
mentioned repeatedly, is something to be checked out in this regard.

Personally, I find it's actually better to just bite the bullet and do a
reinstall.  It goes faster than forensic analysis in most cases, for one.
And even if you do the analysis and believe you got it all, if you miss
anything important you can end up doing the same dance again in a day to
a week.  There's more peace of mind in -knowing- you got the situation
entirely cleaned up and sealed.

I saw someone get hit with a worm at one point on a linux system, and
of course there's -no- forensic anything on the system.  I recommended
a complete reinstall but was shot down for financial reasons.  They
insisted I just do my best to clean it.  I make -very- sure they realise
the risks and take full responsibility if they pass on doing the right
thing like that.  I'm good, but nobody's 100% good, 100% of the time.  I
don't like that doubt hanging there.  You -think- you got it all, but
unless you literally go through the whole system file by file, you may
be missing something critical.  I've seen parts of rootkits stored in
/usr/share/locale at least twice on systems I was brought in to diagnose.
That's a pretty obscure hiding place--and actually very smart, since there
are a cartload of files and most people probably wouldn't look there.

Just don't forget to apply critical patches after a reinstall--especially
security patches, or you might be doing the whole thing again a week later
or less.

mark->
-- 
No matter what your problems, modern medicine can help!
http://members.iglou.com/fairlite/fixital/