On 28/12/06, Voytek Eymont <[EMAIL PROTECTED]> wrote:
I feel this is like moving ssh to a non-stand port, a small measure to reduce exposure.
I actually did this mostly to keep the system logs much cleaner (especially with Apache). In any case it still requires a password to use ssh. lastly, now that '/tmp' is mounted as
/tmp type ext3 (rw,noexec,nosuid,nodev,noatime,nodiratime) that should hopefully prevent execution of such expolits
That's the point - it might prevent execution of *such* exploits but not necessarily others which use a different attack vector. A more "holistic" approach would be to just build a complete wall around the untrusted servers so whatever attackers manage to do to harm them will be contained within their boundaries. In addition to resulting in a more secure system it should also help you reduce the amount of resources (mostly time) you spend on cleaning up the mess and chasing the back doors out of the infected systems. "prevent execution of such exploits" is a bit like installing a lock on the front door after an attacker broke in, without doing the same to lock down all the other entrances and thinking about setting up a complete security system which will cover all the possible entrances and be resilient for more sophisticated attacks (e.g. you hardly hear about thieves cutting off phone and power lines to houses to buy themselves more time but still many alarm systems try to be resilient for such attacks by having their own internal power supply and maybe have a wireless communications backup). thanks for all the comments You are welcome. Cheers, --P -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
