On Mon, Sep 22, 2003 at 08:24:00PM -0400, Jason Dixon wrote:
> It is for this reason that I'd like to suggest the following. Take
> 10 minutes to download, compile and run chkrootkit on your Linux
> systems.
So there is a "download chkrootkit" vs. "download Knoppix STD" war
going on. And both have their points.
Chkrootkit will catch a lot of known stuff, stuff that is known to be
catchable by chkrootkit. And I think it will catch problems even when
run on a machine already compromised by one of the things chkrootkit
will catch. Sufficiently newly written things are beyond detection of
any given copy of chkrootkit anyway, no matter how it is run. Someday
there will be a version of chkrootkit that will include instructions
to run from a trusted boot because someday someone will write a
rootkit that is simply hidden, but that hasn't happened yet. I see
merit in the original suggestion.
On the other side we have the suggestion of booting off a read only
CD-ROM with a (likely) good image on it and running chkrootkit (and
other tools) from there. There is clearly merit there.
I prefer the second suggestion. There was the complaint that it can
be impractical in more complex situations, but that will be obvious to
this who are in those more complex situations. On the other side is
the cleanliness in operating from a (rather) trusted boot. If the
plea is to prompt an appreciation for security I think it is also a
good idea to incorporate in the suggestion the concept of not trusting
a compromised computer to tell you the truth or do what you ask. This
is a remote concept to many. Really. (Honest!) Computers become
invisible, they are assumed to work everyday as they did the day
before, and the idea that all bets are off once they are broken into
can be hard for users to see. Like washing hands, it is good to get
some ideas into brains as habit and even religion--even if there are
cases when strict hygiene isn't strictly necessary or practical.
Risking pissing off everyone, I prefer a third plea:
1. Keep your Linux computer up to date with all Redhat patches!
Redhat makes this easy and they are quite conservative in what
they release in their updates. Be safe, stay up to date!
2. Don't reuse passwords in disparate circumstances. (I use the
same passwords on the nearly matching Linux computers under my
direct control, but I use a different password on the Linux
computer under my desk at work, etc.) Be aware that the very
keyboard you type a password on might be bugged, try to type
passwords directly on the computer to which they apply. Be very
afraid of typing a really important password on a random internet
cafe keyboard (but be less afraid if you can first see that the
keyboard is directly plugged into the computer without any extra
dongles in the path, and if you can boot off your own Knoppix
CD).
3. Worry about any configuration changes you have made from Redhat's
installation, you might open holes. Think about your changes.
If they are little and understandable, they are less risky. If
you are firing up a text editor to edit your Apache configuration
files, are writing CGIs, or downloading and installing software
you will be running as root, be very aware that what you are
doing could be very dangerous, so understand it before doing it.
If you stay conventional and stay with the crowd you can get the
fixes produced for the crowd. If you stray off on your own path
you not only need to start creating your own fixes, but you also
need a way to even know you even *have* a problem.
This list directly represents a lot of computers that are connected to
the internet all the time. Are they all being kept up to date? Are
the updates being applied *promptly* after they become available? I
seriously doubt it. Worse, are those secondary Linux computers
influenced by those reading this list all being kept up to date? No.
-kb, the Kent who things running chkrootkit (via one techique or
another) is good, but it is far more important to fix known holes!
P.S. Did anyone point out that chkrootkit needs to be kept up to
date? It does.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-list
