<quote who="cromworshipper-fedorastuff@xxxxxxxxx"> > > > --- AragonX <aragonx@xxxxxxxxxx> wrote: > [...] >> I've gotten some very good information off of the security lists though. >> Perhaps I should copy it here so that others could benefit? > > Yes, please. > > What was the weak point that allowed an intrusion on your machine? I'd > like > to know what I should watch out for... <copy from Tom Walsh's email to focus-linux@xxxxxxxxxxxxxxxxx> Something that LIDS might not catch is a binary uploaded via a remote file include in a poorly coded PHP script (phpBB comes to mind). We have had several servers exploited using a combination of this method and an out of date kernel. Typically the attacker will upload a binary that exploits the kernel to get local root privs. To stop most of this behavior, we have been using a combination of PHP directives (open_basedir restrictions for web space: php_admin_value open_basedir "/path/to/web/space/html:/tmp:/usr/share/php" in the httpd.conf) and then mounting /tmp set with noexec and nosuid. As an additional measure we have also made wget, fetch and a few other binaries chmod 700 to prevent access by the web server user. As an aside, I have pretty good results with the linux vserver (http://www.linux-vserver.org) patch set to provide virtual server instances of any linux distro I want. I will run a Debian root server with RedHat instances as vservers. It allows me to segment the server and limit exposure between the different services I run. I actually had a root exploit on a vserver a while back, and I was able to recover the server in about 30 minutes. I just took the vserver offline... ran a rpm checksum comparison against checksums saved in the root server... and I determined which binaries were compromised. I replaced them, and then brought the server back online. I was quite pleased with results. As an added benefit the vservers are portable between physical machines so long as the root server has the patch set applied. However I have not used the patch set with LIDS so I do not know if they are compatible or not. We generally use vservers for resellers who want to use control panel software on the server (Plesk works almost flawlessly in this particular instance). I hope that helps you. Take care, Tom Walsh http://www.expresswebsystems.com/ This is exactly what happened to me. A flaw in I believe Squirrelmail enabled a program to be uploaded to the /tmp directory and executed. I've adjusted my LIDS policy to prevent execute from that directory. I'm going to see if I can remove root's access to it without breaking anything. lol
