loki wrote: > Heya, > > First this is not a support request but a live story from someone > using LFS heavily in real life situations and servers and why I would > choose LFS before any distribution based server.
> Let me introduce myself. Im into LFS since version number 3 - 4. > Can't remember exactly anymore. A lot of water under the bridge since > then. For the past four years I work for a governmental agency where > I have installed some servers, all running LFS. From version 6.1 - > 6.8 (32 and 64 bit) (DNS, WEB, MAIL and so on). > Well after years of using it one of our servers got hacked (because > some of the users didn't pay attention to my ramblings about > usernames and passwords) and a rootkit was installed. A very interesting story. I'm interested how a regular user was able to install a rootkit. I realize that you may not know. > When I logged in and tried to ls I saw that ls gave me a segmentation > fault error. After some more minutes I saw that there are some files > that I didn't install. Can you say what the file names/locations were? > Then it hit me. "YOU GOT HACKED". But the services still > worked fine. So I put up a very restrictive Iptables on the router > for this server. Just the service could go through. After checking > the log files I figured that the intrusion took place 5 days before > when I had to open iptables for ssh for one of our 3rd party > maintanance crew. So why is LFS better than distros? I made heavily > customizations during the compilations so when the rootkit was > applied none of the new installed apps worked. Not even ls. Because > they were compiled for normal distros and normal shared libs which > you can't use on custom made systems. The baseline is this, the > intruder couldn't make any heavy damage, the services still work, the > intruder was detected (which is very dificult with rootkits, this one > even rkhunter didn't detect), downtime will be only the time when I > extract the non-compromised documents to the new server which even > will be more hardened. May I suggest tripwire. It does require a bit of work when files are updated, but will catch this sort of thing. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/lfs-support FAQ: http://www.linuxfromscratch.org/lfs/faq.html Unsubscribe: See the above information page
