On Sat, 6 Dec 2003, Scott C. Linnenbringer wrote:
> On Sat, Dec 06, 2003, at 17:27 -0800, Alvin Oga wrote:
>
> > i say, if your ids does find an intruder .. game over ... too late ..
>
> Unless *you* don't know you're harboring an intruder...
yes... know people that had a cracker in their servers
for months and never noticed ...
they figured out something was wrong when they start
getting spam complaints.. for spam they never sent
- thats a guranteed IDS system that works
if the cracker sends spam w/ your return email addy
if they got in, game is still over ... even if they are
idling in the server, and collecting other machines ..
and than launch the attaack to where ever they were going after
- fairly common thing for them to do
- installing ("i'm gonna hide myself") root kits seems
really dumb idea since any useful ids will notice the
changes in the system
- all the cracker wants to know is that the exploit worked
on the ip# 1.2.3.4 and keep track of the vulnerable
machines and than when the time comes .. if you
dont get caught first to go play later ..
- so use a different ip# everyday/every hour and
confuse um .. :-)
- imho... instead of worrying about ids..
- i'd rather read stuff on how to minimize the damage
the cracker can do ...
- if they crack one box, thats gone, but all
other servers keeps happily chugging along
- protect your data as much as possible )
- allowing passwdless logins are bad idea ...
as they can break one box and have free access
all of the rest of your passwdless boxes
- you should require a DIFFERENT key phrase to
also be required to the other boxes
- lots of fun stuff to play with and think about ...
c ya
alvin
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
