RE: [cobalt-users] Cobalt to provide compensation for server hack ?

[elmer@xxxxxxxxxxxxxx]

On Mon, 19 Feb 2001, Vachon, Scott wrote:

} > Perhaps Brent or someone else could fill us in a
} >bit on "Real Time Intrusion Detection and Security Monitoring."

securityfocus.com should indeed be on your list....

	For the record, and since someone asked, here's Brent's view on
system security.

	The best defense is knowledge. Portsentry, for example, is
not going to prevent your box from being cracked. But the knowledge
it provides will help make you a better system admin and that will
give you an edge.

	Here's what I do here. I have an advantage in that our
servers are right here in the building with us, but most all of this
can be done with colocated servers.

	I install portsentry and logcheck on every box. I don't set
portsentry to block scans, but rather use it to let me know who is
poking around and where they are poking around. The same holds true
for logcheck. It's sole purpose is to keep me informed. I also
install a simple baseliner on every server. While Tripwire is
perhaps the best choice, it's easily exploited on a Cobalt as you
don't have a floppy drive that can be write protected so I tend to
go with fcheck, triplight or the like - again, I'm just trying to
keep on top of things. Realize that even Tripwire is not going to
prevent your box from being cracked and a good cracker will be able
to install tricks that you won't be able to find regardless of what
you do. The sole purpose of all this stuff is simply informational.

	I also install "John the Ripper" on all our servers and
maintain a huge selection of lists. Each and every night John runs
by cron and tries to crack each user's password. User's whose
passwords are cracked receive an automated email explaining how to
create secure passwords and informing them that if they don't
install a secure password on the account that we will do so in their
behalf.

	User history reports are copied and emailed to my desktop on
a random basis throughout the day. I know I can't catch everything
but that doesn't mean I can monitor what our users are doing.

	Knowledge is power.

	This one is a bit tough if you are colocated but it's well
worth the effort and easily done even over a dialup line:

	We monitor all traffic in and out of here in real-time.
There are plenty of free tools that you can use for this: Iptraf,
netwatch, trafshow, etc. Basically we have our monitor setup on our
switch so we monitor everything at once. But we started out with one
server and we ran Iptraf on it then just went from there. There's a
dedicated monitor here in our NOC. No we don't stare at it, but over
time you get 'groved' in and one starts to notice patterns that are
unusual. Today, dictionary attacks against user accounts are very
easy to spot as a result of this monitoring. When someone starts
hammering an account we block them at the router.

	I've been in the business long enough to know that one is
going to be laughed at for such a request by the staff at most
colofacilities (no, we don't do colocations here so please don't
ask), but in my opinion your provider should be willing to block
such attacks for you upon request. If not, then you should install a
layer 3 device or find a provider that runs a managed secure network
and cares enough about their clients to do what they ought to be
doing - watching out for your [ass]its.

	When it comes to things like Bind exploits, I don't wait for
anyone. Our DNS servers were upgraded the day the patched Bind was
released. And, if push ever comes to shove, I sincerely doubt that
any US court is going to allow Cobalt to bail out of their warranty
because of my installing a patch in a situation such as this.

	Last, but not least, I read alot. I subscribe to dozens of
magazines related to what we do here. No, I don't read them
completely, but I do scan them to keep on top of things. Information
is power. I also buy lots of books. Right now my goal is to become
an expert on routing. By expert I mean that I want to know how and
why things work rather than just be able to follow the instructions
to make this or that happen. Again, knowledge is power. My studying
routing has resulted in much more security here. While I've yet to
get a handle on routing, that which I've learned about how IP works
has resulted in many changes to our network and the setup we run on
our servers.

	Make no mistake about it, you'd be surprised about what you
can start to do when you know how traceroutes work, etc... while
these are common diagnostic tools, they're also the same tools that
crackers use when searching for exploitable boxes.

	Perhaps even more interesting is that any good book will do.
My favorite trick is rummaging around in used bookstores. I'll buy
and read anything related to what I am doing. Even if I don't
understand the nuances of what I'm reading, the information I
inadvertently pick up ends up becoming more valuable with each
passing day. Over time the pieces come together and that pays off in
dividends.

	If I had to sum things up, I'd have to say that none of what
I just said will make your servers more secure. What it will do is
make you a better system admin. That's what will make your servers
more secure.

	Someone mentioned being hacked and doing a complete
reinstall then being hacked again within moments of putting the box
on line just the other day. I don't claim to be an expert - the more
I learn the less I realize that I know. But I do know that I can
install trojens on a server that won't be removed and/or replaced
during a fresh install - simple stuff, really. Knowing how to do
that means that I can get rid of them before doing an install.

	That's the kind of thing you need to know too, in my
opinion. And the way to learn it is by learning your server. Instead
of searching for packages for easy installs, spend the time to learn
to work from a tar ball. MySql, for example, will easily install
from source on virtually any Linux powered machine. It's easier to
install than Portsentry is. Installing it will teach you a lot, and
each successive install will teach you even more.

	Perhaps getting your "hands dirty" is the biggest trick of
all.

	I'd also recomend getting on some real Linux/web hosting
lists. No insult intended or implied to anyone, but this list seems
to be most useful to those who are trolling for new business. You'll
find some good lists, on which the users help one another, at
http://www.isp-lists.com/ - you can learn a lot from people who
actually know what they are doing and who openly assist one another
on many of the lists there. If you do nothing more than just scan
the messages from the high end lists over time you'll learn what
the experts know.

	So then, where does one start? Head to your favorite
bookstore.... grab something published by O'Reilly and go from
there. It will take time, but even though my father will swear
otherwise (I built my first computer in 1967 - it was powered by
grape Kool Aide), and by my senior year in high school I was the
only kid on the block with a working mainframe in their parent's
garage (my grandfather owned a scrap yard - I conned him out of a
'junk' US Army fire control computer that had a bazillion
transitors in it and which I managed to get operating well enough
to do simple addition) I wan't born knowing a bit from a bite.

	That's my opinion...