[Fedora] Seeing input on Securing the Linux system from intrusions and attacks.

John Summerfield debian at herakles.homelinux.org
Mon Dec 31 09:59:51 UTC 2007 

Tod Merley wrote:

> I think you respond here to a comment that I meant to support
> penetration testing.  I regret that I was misunderstanding your last
> post.
> 
> Your guidance concerning honey pots is welcome.  What I am becoming
> aware of is that indeed our networks are filled with them.  Every
> computer on your network contains "honey" someone wants to get to.  I
> suppose what I really want are better tools to prevent and detect and
> respond to infection.

"honey pot" is a technical term, with a specific meaning.
> 
> I did come up with one possibly useful idea while thinking about this.
>  I think I would like to see our computers report suspicious activity
> (attempts to access ports for services we do not use - port scans -
> etc,,) to a central clearing house.  Perhaps each state could have a
> site with a server farm dedicated to obtaining and processing data of
> this nature which would then forward the processed results to a
> national server.  Perhaps the national server could coordinate a trace
> process designed to find the actual source which coordinates the
> suspicious activity.  I would like to find "bot" controllers.  Maybe
> this could become part of how.

I suspect that there is already at least one network of security 
consultants doing this. See what you can find with google,

Some might be public and may welcome you as a participant, others 
private. Suppose the CIA is running some honeypots. Would it be likely 
to share information with North Korea or Iran?


> 
> I suppose the response of the enemy to this would be to DOS it with
> false reports and other attacks.  This could be mitigated and used to
> enhance the process by spreading the server IPs across several ranges,
> coordinating the times which messages are to be sent by specific
> computers to those IPs and detecting the bots by either that they send
> at a wrong time or do not use the secret protocol as they were
> instructed by the server at a previous time.

I manage systems on different IAPs, I have noticed quite a difference in 
the volume of traffic I drop/reject on the different networks.


>> and I note that RH doesn't highlight security at all, that's I could
>> find in three clicks.
>>
> In fairness Windows gets hit most because it is most popular.
> Similarly RH gets hit most because it is most popular.  Same with
> Ubuntu.

Windows might get hit most, but it gets penetrated most because it's so 
weak. Remember Microsoft's key point, eXPerience.


>> box and us confused about all the attacks he sees.
>>
> I suppose what I would really like to see is an intelligent "action
> watcher" which would notice  malicious activity and start yelling
> about it.  I guess I should not call it a "honey pot" in the classic

snort I think is what you want.


>>> What I like about them is that they are convenient, espically for a
>>> laptop.  Since they are fairly cheap what I do is always have and use
>>> more than two.  Loose one, not happy with that but little loss.
>> bank account details? SS number for Americans. Information about you
>> that could lead to someone else knowing enough about you to present
>> himself as you?
>>
> I hate in a way to admit it, but I do not use online transactions.  I
> gladly receive your point if I ever do.

There are lots of places where one can purchase by credit card, and 
ecommerce is so popular I can even transfer money from my account to 
anyone else's (at least within Oz, i don't know about international 
transfers).


>>
> Several in this thread have testimonies to what they were forced to do
> when infected with no way to cure it.  I believe we are often infected
> with no way to even find it!!

I can't speak for you, but I tend to notice. Anything behind my firewall 
tries to connect to odd ports, I notice. The Boss tried a little 
torrent, I noticed:-)



> 
> Yes, we now have scanners that will detect some polymorphic viruses.
> So what else will they come up with that we do not yet know about?
> 
> Certainly wipe and re-load is hard.  However, I have noted myself that
> you get much better at it with practice.  Since you may have to do it
> anyway, it would be good to be practiced!  It is not just about
> frustrating system infection it is also about what you will eventually
> need to be ready to do.

If Wipe and Reload was good, Big Businesses would do it. They don't.


> 
> Perhaps we can agree that vendor fixes and other security upgrades
> should be soon placed into a test environment and when found to be
> good the configuration implemented on similar boxes in the system
> quickly and in a way that can be easily and quickly replicated when
> necessary.  Also, that snapshots of the data areas be taken often.

I'm happy to let fixes wait a while. I figure of they're broken, someone 
will notice. But I'm not protecting high-value sites. They do set up set 
environments and hire hordes of folk to do their QA testing.

> 
> If a box is often exposed to an infectious environment,  I believe it
> should be re-loaded with such approved configurations often.

We, my wife and I, have been burgled once (in over 30 years). It 
happened while I was at home.

More recently, we've had monitored security installed. Mrs S tends to be 
a little paranoid, and I thought it might be worth the dollars for her 
peace of mind.

In several years, we've had no intrusions, but quite a few false alarms. 
The most recent two were in October while we were on holiday in 
Melbourne (Australia). We live in the Perth area, dropping in to check 
wasn't and easy option and I talked her it of it. More recently, it 
happend again while we were on holiday, this time at Margaret River (I'm 
sure Google can tell you about it, it's famous for fine wines and for 
excellent surf). This time she insisted in coming home.

The security is not providing her peace of mind, in fact it's disturbing 
her. And the cost has exceeded any likely expense should we be burgled - 
we're also insured.

I'm beginning to think it's as sensible as reinstalling one's Linux 
regularly - that is, not very.


-- 

Cheers
John

-- spambait
1aaaaaaa at coco.merseine.nu  Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

More information about the fedora-list mailing list