Thanks to all for the response. I have managed to keep the system quite secure until now help from sun.com and all of you. As I prepare to move to a new job (sun admin also) my main concern is that since there will be a time lag before a new sys admin gets in I feel morally and realistically obligated to secure our current servers as much as I can. Thank you all for those responses. It will serve my friends here well. SUMMARY: Ric Anderson [ric@Opus1.COM] * Go to sunsolve.sun.com and subscribe to Sun Alerts so you get email from Sun about security issues. * Make sure you download and install the recommended OS patch cluster regularly. * Disable any network services you don't absolutely know you need. * Install a package that lets you monitor the MD5 checksums of all system files and directories, and run the monitor daily (or more often if your load permits and perceived threat requires it). * Scan your system daily for new or changed setuid/setgid files, and new or changed .rhosts, .shosts, files. * Monitor the system for multiple instances of inetd, not owned by pid 1. One of the break in kits starts an inetd on a (usually deleted) config file that opens a back door on your system. * Use your router facilities to disable all inbound traffic to your server subnet except for those host/port pairs that you want to be visible outside your subnet. Luke Hinds [Luke.Hinds@mformation.com] Really depends on the level of skill of the individual that has (if they have) compromised the system. What leads you into thinking the box may have been hacked? There are a lot of root kits. Most of them replace binaries such as netstat, ifconfig, who, history etc to cover up any activity on the box. If machine has been compromised (depending on its vitalness to be online) get it off your network, work on it in isolation of any networks and then rebuild if need be. After this use an application (like yasp) that creates a checksum of all your files and then store the database on an read-only floopy. You can then run a cron job to compare and highlight any descrepencies or tampering (and get the alarm emailed to you), and of course patch everything to the latest revision. Also disable any services not needed (finger, sendmail, rlogin, rcopy etc). Mauricio Tavares [raub@afn.org] tripwire perhaps? Hutin Bertrand [Bertrand.Hutin@fr.Fujitsu.com] you may try to check running processes and file integrity. for packages use pkgchk for other files you may install aide (available on sunfreeware) Regards, Abhimanyu. Abhimanyu Pandey Information Technologies Worcester State College Worcester, MA 01602 Office: 508-929-8913 ________________________________ From: Pandey, Abhimanyu Sent: Friday, November 24, 2006 11:24 AM To: 'sunmanagers@sunmanagers.org' Subject: security Happy Thanksgiving to all of you! Just a small question: How does one know that one's unix/solaris system has been compromised/broken into. I did read about the root kit, etc, auditing, but is there anything else? http://www.adminschoice.com/docs/securing_solaris.htm other than above? Hence there are two parts to the problem: One: How to secure? Two: How to find out if there has been a breach? Abhimanyu Pandey Information Technologies Worcester State College Worcester, MA 01602 Office: 508-929-8913 _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Fri Nov 24 12:46:56 2006
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:03 EST