Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Andy Ruhl <acruhl@gmail.com>
From: Elad Efrat <elad@NetBSD.org>
List: tech-net
Date: 01/12/2007 17:10:07
Andy Ruhl wrote:
> I'm surprised that a few people think you should start over. I would
> seriously hope that a compromised user account wouldn't immediately
> prompt paranoia that the box was rooted. I understand that this is a
> thoght process that needs to take place, but I would hope that NetBSD
> is more hardy than that.
>
> I always keep my install sets somewhere else so I can do a checksum
> against some important programs to see if it's been hacked.
the assumption is that if a malicious person gets a local account on
your machine, you will most likely have to start over from scratch.
there's a lot to be said about this topic (you would not believe how
many people actually care about this stuff :) but like smb@ said, the
common practice -- on all operating systems -- is to do a clean install
once you identified a compromise. leaving aside the fact that it can
be real hard to *detect* such a compromise, if you get that privilege,
act wisely.
and, if I may shamelessly plug something I wrote about this very issue
~two weeks ago:
http://blog.bsd.org.il/index.php/2006/12/21/open-source-rootkit-detection/
last but not least, about blocking ssh brute force attacks: I would
recommend not doing any sort of automatic log parsing on the server end.
-e.