On Sun, 27 Jun 1999, Cohen Liota wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Derek has made some valid points, I would however focus on increased
> time
> secureing the system by removing services that are not needed or used,
> removing
> SUID/SGID binaries and enforcing the rule of least priviledge for user
> accounts
> with appropriate permissions rather then using DTK (Deception Tool
> Kit). After the
> investigation aspect of your response plan has been executed and you
> either rebuild
> the system or backup from trusted media you will want to use tripwire,
>
Sorry. Just to clarify. Please don't take my advice as a means to better
system security. I was merely outlining:
1. Some quick, but certainly not intensive, disaster recovery steps.
2. Ways to turn the situation to your advantage by monitoring the intruder
and learning from his actions and techniques.
Cohen makes some other good points about more preventative measures. DTK
isn't something I'd really use for this-- I seem to have implied this. I
tend to set up a DTK box I can bring online in the event of an
opportunity. You can then lure the intruder there if you're trying to keep
him around but trying to defer attacks on important machines. <insert
chinese cliche or whatever>. It's probably not a good idea to drop DTK on
one of your production boxes.
+++ath
Derek Vadala, [EMAIL PROTECTED], http://www.cynicism.com/~derek
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
