679 lines
47 KiB
HTML
679 lines
47 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
|
|
|
|
<html>
|
|
|
|
<head>
|
|
|
|
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
|
|
|
|
<title>Securing Debian Manual - After the compromise (incident response)</title>
|
|
|
|
<link href="index.en.html" rel="start">
|
|
<link href="ch10.en.html" rel="prev">
|
|
<link href="ch12.en.html" rel="next">
|
|
<link href="index.en.html#contents" rel="contents">
|
|
<link href="index.en.html#copyright" rel="copyright">
|
|
<link href="ch1.en.html" rel="chapter" title="1 Introduction">
|
|
<link href="ch2.en.html" rel="chapter" title="2 Before you begin">
|
|
<link href="ch3.en.html" rel="chapter" title="3 Before and during the installation">
|
|
<link href="ch4.en.html" rel="chapter" title="4 After installation">
|
|
<link href="ch-sec-services.en.html" rel="chapter" title="5 Securing services running on your system">
|
|
<link href="ch-automatic-harden.en.html" rel="chapter" title="6 Automatic hardening of Debian systems">
|
|
<link href="ch7.en.html" rel="chapter" title="7 Debian Security Infrastructure">
|
|
<link href="ch-sec-tools.en.html" rel="chapter" title="8 Security tools in Debian">
|
|
<link href="ch9.en.html" rel="chapter" title="9 Developer's Best Practices for OS Security">
|
|
<link href="ch10.en.html" rel="chapter" title="10 Before the compromise">
|
|
<link href="ch-after-compromise.en.html" rel="chapter" title="11 After the compromise (incident response)">
|
|
<link href="ch12.en.html" rel="chapter" title="12 Frequently asked Questions (FAQ)">
|
|
<link href="ap-harden-step.en.html" rel="appendix" title="A The hardening process step by step">
|
|
<link href="ap-checklist.en.html" rel="appendix" title="B Configuration checklist">
|
|
<link href="ap-snort-box.en.html" rel="appendix" title="C Setting up a stand-alone IDS">
|
|
<link href="ap-bridge-fw.en.html" rel="appendix" title="D Setting up a bridge firewall">
|
|
<link href="ap-bind-chuser.en.html" rel="appendix" title="E Sample script to change the default Bind installation.">
|
|
<link href="ap-fw-security-update.en.html" rel="appendix" title="F Security update protected by a firewall">
|
|
<link href="ap-chroot-ssh-env.en.html" rel="appendix" title="G <code>Chroot</code> environment for <code>SSH</code>">
|
|
<link href="ap-chroot-apache-env.en.html" rel="appendix" title="H <code>Chroot</code> environment for <code>Apache</code>">
|
|
<link href="ch1.en.html#s-authors" rel="section" title="1.1 Authors">
|
|
<link href="ch1.en.html#s1.2" rel="section" title="1.2 Where to get the manual (and available formats)">
|
|
<link href="ch1.en.html#s1.3" rel="section" title="1.3 Organizational notes/feedback">
|
|
<link href="ch1.en.html#s1.4" rel="section" title="1.4 Prior knowledge">
|
|
<link href="ch1.en.html#s1.5" rel="section" title="1.5 Things that need to be written (FIXME/TODO)">
|
|
<link href="ch1.en.html#s-changelog" rel="section" title="1.6 Changelog/History">
|
|
<link href="ch1.en.html#s-credits" rel="section" title="1.7 Credits and thanks!">
|
|
<link href="ch2.en.html#s2.1" rel="section" title="2.1 What do you want this system for?">
|
|
<link href="ch2.en.html#s-references" rel="section" title="2.2 Be aware of general security problems">
|
|
<link href="ch2.en.html#s2.3" rel="section" title="2.3 How does Debian handle security?">
|
|
<link href="ch3.en.html#s-bios-passwd" rel="section" title="3.1 Choose a BIOS password">
|
|
<link href="ch3.en.html#s3.2" rel="section" title="3.2 Partitioning the system">
|
|
<link href="ch3.en.html#s3.3" rel="section" title="3.3 Do not plug to the Internet until ready">
|
|
<link href="ch3.en.html#s3.4" rel="section" title="3.4 Set a root password">
|
|
<link href="ch3.en.html#s3.5" rel="section" title="3.5 Activate shadow passwords and MD5 passwords">
|
|
<link href="ch3.en.html#s3.6" rel="section" title="3.6 Run the minimum number of services required">
|
|
<link href="ch3.en.html#s3.7" rel="section" title="3.7 Install the minimum amount of software required">
|
|
<link href="ch3.en.html#s3.8" rel="section" title="3.8 Read the Debian security mailing lists">
|
|
<link href="ch4.en.html#s-debian-sec-announce" rel="section" title="4.1 Subscribe to the Debian Security Announce mailing list">
|
|
<link href="ch4.en.html#s-security-update" rel="section" title="4.2 Execute a security update">
|
|
<link href="ch4.en.html#s-bios-boot" rel="section" title="4.3 Change the BIOS (again)">
|
|
<link href="ch4.en.html#s-lilo-passwd" rel="section" title="4.4 Set a LILO or GRUB password">
|
|
<link href="ch4.en.html#s-kernel-initramfs-prompt" rel="section" title="4.5 Disable root prompt on the initramfs">
|
|
<link href="ch4.en.html#s-kernel-root-prompt" rel="section" title="4.6 Remove root prompt on the kernel">
|
|
<link href="ch4.en.html#s-restrict-console-login" rel="section" title="4.7 Restricting console login access">
|
|
<link href="ch4.en.html#s-restrict-reboots" rel="section" title="4.8 Restricting system reboots through the console">
|
|
<link href="ch4.en.html#s4.9" rel="section" title="4.9 Mounting partitions the right way">
|
|
<link href="ch4.en.html#s4.10" rel="section" title="4.10 Providing secure user access">
|
|
<link href="ch4.en.html#s-tcpwrappers" rel="section" title="4.11 Using tcpwrappers">
|
|
<link href="ch4.en.html#s-log-alerts" rel="section" title="4.12 The importance of logs and alerts">
|
|
<link href="ch4.en.html#s-kernel-patches" rel="section" title="4.13 Adding kernel patches">
|
|
<link href="ch4.en.html#s4.14" rel="section" title="4.14 Protecting against buffer overflows">
|
|
<link href="ch4.en.html#s4.15" rel="section" title="4.15 Secure file transfers">
|
|
<link href="ch4.en.html#s4.16" rel="section" title="4.16 File system limits and control">
|
|
<link href="ch4.en.html#s-network-secure" rel="section" title="4.17 Securing network access">
|
|
<link href="ch4.en.html#s-snapshot" rel="section" title="4.18 Taking a snapshot of the system">
|
|
<link href="ch4.en.html#s4.19" rel="section" title="4.19 Other recommendations">
|
|
<link href="ch-sec-services.en.html#s5.1" rel="section" title="5.1 Securing ssh">
|
|
<link href="ch-sec-services.en.html#s5.2" rel="section" title="5.2 Securing Squid">
|
|
<link href="ch-sec-services.en.html#s-ftp-secure" rel="section" title="5.3 Securing FTP">
|
|
<link href="ch-sec-services.en.html#s5.4" rel="section" title="5.4 Securing access to the X Window System">
|
|
<link href="ch-sec-services.en.html#s5.5" rel="section" title="5.5 Securing printing access (the lpd and lprng issue)">
|
|
<link href="ch-sec-services.en.html#s5.6" rel="section" title="5.6 Securing the mail service">
|
|
<link href="ch-sec-services.en.html#s-sec-bind" rel="section" title="5.7 Securing BIND">
|
|
<link href="ch-sec-services.en.html#s5.8" rel="section" title="5.8 Securing Apache">
|
|
<link href="ch-sec-services.en.html#s5.9" rel="section" title="5.9 Securing finger">
|
|
<link href="ch-sec-services.en.html#s-chroot" rel="section" title="5.10 General chroot and suid paranoia">
|
|
<link href="ch-sec-services.en.html#s5.11" rel="section" title="5.11 General cleartext password paranoia">
|
|
<link href="ch-sec-services.en.html#s5.12" rel="section" title="5.12 Disabling NIS">
|
|
<link href="ch-sec-services.en.html#s-rpc" rel="section" title="5.13 Securing RPC services">
|
|
<link href="ch-sec-services.en.html#s-firewall-setup" rel="section" title="5.14 Adding firewall capabilities">
|
|
<link href="ch-automatic-harden.en.html#s6.1" rel="section" title="6.1 Harden">
|
|
<link href="ch-automatic-harden.en.html#s6.2" rel="section" title="6.2 Bastille Linux">
|
|
<link href="ch7.en.html#s-debian-sec-team" rel="section" title="7.1 The Debian Security Team">
|
|
<link href="ch7.en.html#s-dsa" rel="section" title="7.2 Debian Security Advisories">
|
|
<link href="ch7.en.html#s7.3" rel="section" title="7.3 Security Tracker">
|
|
<link href="ch7.en.html#s7.4" rel="section" title="7.4 Debian Security Build Infrastructure">
|
|
<link href="ch7.en.html#s-deb-pack-sign" rel="section" title="7.5 Package signing in Debian">
|
|
<link href="ch-sec-tools.en.html#s-vuln-asses" rel="section" title="8.1 Remote vulnerability assessment tools">
|
|
<link href="ch-sec-tools.en.html#s8.2" rel="section" title="8.2 Network scanner tools">
|
|
<link href="ch-sec-tools.en.html#s8.3" rel="section" title="8.3 Internal audits">
|
|
<link href="ch-sec-tools.en.html#s8.4" rel="section" title="8.4 Auditing source code">
|
|
<link href="ch-sec-tools.en.html#s-vpn" rel="section" title="8.5 Virtual Private Networks">
|
|
<link href="ch-sec-tools.en.html#s8.6" rel="section" title="8.6 Public Key Infrastructure (PKI)">
|
|
<link href="ch-sec-tools.en.html#s8.7" rel="section" title="8.7 SSL Infrastructure">
|
|
<link href="ch-sec-tools.en.html#s8.8" rel="section" title="8.8 Antivirus tools">
|
|
<link href="ch-sec-tools.en.html#s-gpg-agent" rel="section" title="8.9 GPG agent">
|
|
<link href="ch9.en.html#s-bpp-devel-design" rel="section" title="9.1 Best practices for security review and design">
|
|
<link href="ch9.en.html#s-bpp-lower-privs" rel="section" title="9.2 Creating users and groups for software daemons">
|
|
<link href="ch10.en.html#s-keep-secure" rel="section" title="10.1 Keep your system secure">
|
|
<link href="ch10.en.html#s-periodic-integrity" rel="section" title="10.2 Do periodic integrity checks">
|
|
<link href="ch10.en.html#s-intrusion-detect" rel="section" title="10.3 Set up Intrusion Detection">
|
|
<link href="ch10.en.html#s10.4" rel="section" title="10.4 Avoiding root-kits">
|
|
<link href="ch10.en.html#s10.5" rel="section" title="10.5 Genius/Paranoia Ideas — what you could do">
|
|
<link href="ch-after-compromise.en.html#s11.1" rel="section" title="11.1 General behavior">
|
|
<link href="ch-after-compromise.en.html#s11.2" rel="section" title="11.2 Backing up the system">
|
|
<link href="ch-after-compromise.en.html#s11.3" rel="section" title="11.3 Contact your local CERT">
|
|
<link href="ch-after-compromise.en.html#s11.4" rel="section" title="11.4 Forensic analysis">
|
|
<link href="ch12.en.html#s12.1" rel="section" title="12.1 Security in the Debian operating system">
|
|
<link href="ch12.en.html#s-vulnerable-system" rel="section" title="12.2 My system is vulnerable! (Are you sure?)">
|
|
<link href="ch12.en.html#s-debian-sec-team-faq" rel="section" title="12.3 Questions regarding the Debian security team">
|
|
<link href="ap-bridge-fw.en.html#sD.1" rel="section" title="D.1 A bridge providing NAT and firewall capabilities">
|
|
<link href="ap-bridge-fw.en.html#sD.2" rel="section" title="D.2 A bridge providing firewall capabilities">
|
|
<link href="ap-bridge-fw.en.html#sD.3" rel="section" title="D.3 Basic IPtables rules">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.1" rel="section" title="G.1 Chrooting the ssh users">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.2" rel="section" title="G.2 Chrooting the ssh server">
|
|
<link href="ap-chroot-apache-env.en.html#sH.1" rel="section" title="H.1 Introduction">
|
|
<link href="ap-chroot-apache-env.en.html#sH.2" rel="section" title="H.2 Installing the server">
|
|
<link href="ap-chroot-apache-env.en.html#sH.3" rel="section" title="H.3 See also">
|
|
<link href="ch1.en.html#s1.6.1" rel="subsection" title="1.6.1 Version 3.16 (March 2011)">
|
|
<link href="ch1.en.html#s1.6.2" rel="subsection" title="1.6.2 Version 3.15 (December 2010)">
|
|
<link href="ch1.en.html#s1.6.3" rel="subsection" title="1.6.3 Version 3.14 (March 2009)">
|
|
<link href="ch1.en.html#s1.6.4" rel="subsection" title="1.6.4 Version 3.13 (Februrary 2008)">
|
|
<link href="ch1.en.html#s1.6.5" rel="subsection" title="1.6.5 Version 3.12 (August 2007)">
|
|
<link href="ch1.en.html#s1.6.6" rel="subsection" title="1.6.6 Version 3.11 (January 2007)">
|
|
<link href="ch1.en.html#s1.6.7" rel="subsection" title="1.6.7 Version 3.10 (November 2006)">
|
|
<link href="ch1.en.html#s1.6.8" rel="subsection" title="1.6.8 Version 3.9 (October 2006)">
|
|
<link href="ch1.en.html#s1.6.9" rel="subsection" title="1.6.9 Version 3.8 (July 2006)">
|
|
<link href="ch1.en.html#s1.6.10" rel="subsection" title="1.6.10 Version 3.7 (April 2006)">
|
|
<link href="ch1.en.html#s1.6.11" rel="subsection" title="1.6.11 Version 3.6 (March 2006)">
|
|
<link href="ch1.en.html#s1.6.12" rel="subsection" title="1.6.12 Version 3.5 (November 2005)">
|
|
<link href="ch1.en.html#s1.6.13" rel="subsection" title="1.6.13 Version 3.4 (August-September 2005)">
|
|
<link href="ch1.en.html#s1.6.14" rel="subsection" title="1.6.14 Version 3.3 (June 2005)">
|
|
<link href="ch1.en.html#s1.6.15" rel="subsection" title="1.6.15 Version 3.2 (March 2005)">
|
|
<link href="ch1.en.html#s1.6.16" rel="subsection" title="1.6.16 Version 3.1 (January 2005)">
|
|
<link href="ch1.en.html#s1.6.17" rel="subsection" title="1.6.17 Version 3.0 (December 2004)">
|
|
<link href="ch1.en.html#s1.6.18" rel="subsection" title="1.6.18 Version 2.99 (March 2004)">
|
|
<link href="ch1.en.html#s1.6.19" rel="subsection" title="1.6.19 Version 2.98 (December 2003)">
|
|
<link href="ch1.en.html#s1.6.20" rel="subsection" title="1.6.20 Version 2.97 (September 2003)">
|
|
<link href="ch1.en.html#s1.6.21" rel="subsection" title="1.6.21 Version 2.96 (August 2003)">
|
|
<link href="ch1.en.html#s1.6.22" rel="subsection" title="1.6.22 Version 2.95 (June 2003)">
|
|
<link href="ch1.en.html#s1.6.23" rel="subsection" title="1.6.23 Version 2.94 (April 2003)">
|
|
<link href="ch1.en.html#s1.6.24" rel="subsection" title="1.6.24 Version 2.93 (March 2003)">
|
|
<link href="ch1.en.html#s1.6.25" rel="subsection" title="1.6.25 Version 2.92 (February 2003)">
|
|
<link href="ch1.en.html#s1.6.26" rel="subsection" title="1.6.26 Version 2.91 (January/February 2003)">
|
|
<link href="ch1.en.html#s1.6.27" rel="subsection" title="1.6.27 Version 2.9 (December 2002)">
|
|
<link href="ch1.en.html#s1.6.28" rel="subsection" title="1.6.28 Version 2.8 (November 2002)">
|
|
<link href="ch1.en.html#s1.6.29" rel="subsection" title="1.6.29 Version 2.7 (October 2002)">
|
|
<link href="ch1.en.html#s1.6.30" rel="subsection" title="1.6.30 Version 2.6 (September 2002)">
|
|
<link href="ch1.en.html#s1.6.31" rel="subsection" title="1.6.31 Version 2.5 (September 2002)">
|
|
<link href="ch1.en.html#s1.6.32" rel="subsection" title="1.6.32 Version 2.5 (August 2002)">
|
|
<link href="ch1.en.html#s1.6.33" rel="subsection" title="1.6.33 Version 2.4">
|
|
<link href="ch1.en.html#s1.6.34" rel="subsection" title="1.6.34 Version 2.3">
|
|
<link href="ch1.en.html#s1.6.35" rel="subsection" title="1.6.35 Version 2.3">
|
|
<link href="ch1.en.html#s1.6.36" rel="subsection" title="1.6.36 Version 2.2">
|
|
<link href="ch1.en.html#s1.6.37" rel="subsection" title="1.6.37 Version 2.1">
|
|
<link href="ch1.en.html#s1.6.38" rel="subsection" title="1.6.38 Version 2.0">
|
|
<link href="ch1.en.html#s1.6.39" rel="subsection" title="1.6.39 Version 1.99">
|
|
<link href="ch1.en.html#s1.6.40" rel="subsection" title="1.6.40 Version 1.98">
|
|
<link href="ch1.en.html#s1.6.41" rel="subsection" title="1.6.41 Version 1.97">
|
|
<link href="ch1.en.html#s1.6.42" rel="subsection" title="1.6.42 Version 1.96">
|
|
<link href="ch1.en.html#s1.6.43" rel="subsection" title="1.6.43 Version 1.95">
|
|
<link href="ch1.en.html#s1.6.44" rel="subsection" title="1.6.44 Version 1.94">
|
|
<link href="ch1.en.html#s1.6.45" rel="subsection" title="1.6.45 Version 1.93">
|
|
<link href="ch1.en.html#s1.6.46" rel="subsection" title="1.6.46 Version 1.92">
|
|
<link href="ch1.en.html#s1.6.47" rel="subsection" title="1.6.47 Version 1.91">
|
|
<link href="ch1.en.html#s1.6.48" rel="subsection" title="1.6.48 Version 1.9">
|
|
<link href="ch1.en.html#s1.6.49" rel="subsection" title="1.6.49 Version 1.8">
|
|
<link href="ch1.en.html#s1.6.50" rel="subsection" title="1.6.50 Version 1.7">
|
|
<link href="ch1.en.html#s1.6.51" rel="subsection" title="1.6.51 Version 1.6">
|
|
<link href="ch1.en.html#s1.6.52" rel="subsection" title="1.6.52 Version 1.5">
|
|
<link href="ch1.en.html#s1.6.53" rel="subsection" title="1.6.53 Version 1.4">
|
|
<link href="ch1.en.html#s1.6.54" rel="subsection" title="1.6.54 Version 1.3">
|
|
<link href="ch1.en.html#s1.6.55" rel="subsection" title="1.6.55 Version 1.2">
|
|
<link href="ch1.en.html#s1.6.56" rel="subsection" title="1.6.56 Version 1.1">
|
|
<link href="ch1.en.html#s1.6.57" rel="subsection" title="1.6.57 Version 1.0">
|
|
<link href="ch3.en.html#s3.2.1" rel="subsection" title="3.2.1 Choose an intelligent partition scheme">
|
|
<link href="ch3.en.html#s3.2.1.1" rel="subsection" title="3.2.1.1 Selecting the appropriate file systems">
|
|
<link href="ch3.en.html#s-disableserv" rel="subsection" title="3.6.1 Disabling daemon services">
|
|
<link href="ch3.en.html#s-inetd" rel="subsection" title="3.6.2 Disabling <code>inetd</code> or its services">
|
|
<link href="ch3.en.html#s3.7.1" rel="subsection" title="3.7.1 Removing Perl">
|
|
<link href="ch4.en.html#s-lib-security-update" rel="subsection" title="4.2.1 Security update of libraries">
|
|
<link href="ch4.en.html#s-kernel-security-update" rel="subsection" title="4.2.2 Security update of the kernel">
|
|
<link href="ch4.en.html#s4.9.1" rel="subsection" title="4.9.1 Setting <code>/tmp</code> noexec">
|
|
<link href="ch4.en.html#s4.9.2" rel="subsection" title="4.9.2 Setting /usr read-only">
|
|
<link href="ch4.en.html#s-auth-pam" rel="subsection" title="4.10.1 User authentication: PAM">
|
|
<link href="ch4.en.html#s-user-limits" rel="subsection" title="4.10.2 Limiting resource usage: the <code>limits.conf</code> file">
|
|
<link href="ch4.en.html#s4.10.3" rel="subsection" title="4.10.3 User login actions: edit <code>/etc/login.defs</code>">
|
|
<link href="ch4.en.html#s4.10.4" rel="subsection" title="4.10.4 Restricting ftp: editing <code>/etc/ftpusers</code>">
|
|
<link href="ch4.en.html#s4.10.5" rel="subsection" title="4.10.5 Using su">
|
|
<link href="ch4.en.html#s4.10.6" rel="subsection" title="4.10.6 Using sudo">
|
|
<link href="ch4.en.html#s4.10.7" rel="subsection" title="4.10.7 Disallow remote administrative access">
|
|
<link href="ch4.en.html#s-user-restrict" rel="subsection" title="4.10.8 Restricting users's access">
|
|
<link href="ch4.en.html#s4.10.9" rel="subsection" title="4.10.9 User auditing">
|
|
<link href="ch4.en.html#s4.10.9.1" rel="subsection" title="4.10.9.1 Input and output audit with script">
|
|
<link href="ch4.en.html#s4.10.9.2" rel="subsection" title="4.10.9.2 Using the shell history file">
|
|
<link href="ch4.en.html#s4.10.9.3" rel="subsection" title="4.10.9.3 Complete user audit with accounting utilities">
|
|
<link href="ch4.en.html#s4.10.9.4" rel="subsection" title="4.10.9.4 Other user auditing methods">
|
|
<link href="ch4.en.html#s4.10.10" rel="subsection" title="4.10.10 Reviewing user profiles">
|
|
<link href="ch4.en.html#s4.10.11" rel="subsection" title="4.10.11 Setting users umasks">
|
|
<link href="ch4.en.html#s4.10.12" rel="subsection" title="4.10.12 Limiting what users can see/access">
|
|
<link href="ch4.en.html#s-limit-user-perm" rel="subsection" title="4.10.12.1 Limiting access to other user's information">
|
|
<link href="ch4.en.html#s-user-pwgen" rel="subsection" title="4.10.13 Generating user passwords">
|
|
<link href="ch4.en.html#s4.10.14" rel="subsection" title="4.10.14 Checking user passwords">
|
|
<link href="ch4.en.html#s-idle-logoff" rel="subsection" title="4.10.15 Logging off idle users">
|
|
<link href="ch4.en.html#s-custom-logcheck" rel="subsection" title="4.12.1 Using and customizing <code>logcheck</code>">
|
|
<link href="ch4.en.html#s4.12.2" rel="subsection" title="4.12.2 Configuring where alerts are sent">
|
|
<link href="ch4.en.html#s4.12.3" rel="subsection" title="4.12.3 Using a loghost">
|
|
<link href="ch4.en.html#s4.12.4" rel="subsection" title="4.12.4 Log file permissions">
|
|
<link href="ch4.en.html#s4.14.1" rel="subsection" title="4.14.1 Kernel patch protection for buffer overflows">
|
|
<link href="ch4.en.html#s4.14.2" rel="subsection" title="4.14.2 Testing programs for overflows">
|
|
<link href="ch4.en.html#s4.16.1" rel="subsection" title="4.16.1 Using quotas">
|
|
<link href="ch4.en.html#s-ext2attr" rel="subsection" title="4.16.2 The ext2 filesystem specific attributes (chattr/lsattr)">
|
|
<link href="ch4.en.html#s-check-integ" rel="subsection" title="4.16.3 Checking file system integrity">
|
|
<link href="ch4.en.html#s4.16.4" rel="subsection" title="4.16.4 Setting up setuid check">
|
|
<link href="ch4.en.html#s-kernel-conf" rel="subsection" title="4.17.1 Configuring kernel network features">
|
|
<link href="ch4.en.html#s-tcp-syncookies" rel="subsection" title="4.17.2 Configuring syncookies">
|
|
<link href="ch4.en.html#s-net-harden" rel="subsection" title="4.17.3 Securing the network on boot-time">
|
|
<link href="ch4.en.html#s-kernel-fw" rel="subsection" title="4.17.4 Configuring firewall features">
|
|
<link href="ch4.en.html#s-limit-bindaddr" rel="subsection" title="4.17.5 Disabling weak-end hosts issues">
|
|
<link href="ch4.en.html#s4.17.6" rel="subsection" title="4.17.6 Protecting against ARP attacks">
|
|
<link href="ch4.en.html#s4.19.1" rel="subsection" title="4.19.1 Do not use software depending on svgalib">
|
|
<link href="ch-sec-services.en.html#s-ssh-chroot" rel="subsection" title="5.1.1 Chrooting ssh">
|
|
<link href="ch-sec-services.en.html#s5.1.2" rel="subsection" title="5.1.2 Ssh clients">
|
|
<link href="ch-sec-services.en.html#s5.1.3" rel="subsection" title="5.1.3 Disallowing file transfers">
|
|
<link href="ch-sec-services.en.html#s-ssh-only-file" rel="subsection" title="5.1.4 Restricing access to file transfer only">
|
|
<link href="ch-sec-services.en.html#s5.4.1" rel="subsection" title="5.4.1 Check your display manager">
|
|
<link href="ch-sec-services.en.html#s5.6.1" rel="subsection" title="5.6.1 Configuring a Nullmailer">
|
|
<link href="ch-sec-services.en.html#s5.6.2" rel="subsection" title="5.6.2 Providing secure access to mailboxes">
|
|
<link href="ch-sec-services.en.html#s5.6.3" rel="subsection" title="5.6.3 Receiving mail securely">
|
|
<link href="ch-sec-services.en.html#s-configure-bind" rel="subsection" title="5.7.1 Bind configuration to avoid misuse">
|
|
<link href="ch-sec-services.en.html#s-user-bind" rel="subsection" title="5.7.2 Changing BIND's user">
|
|
<link href="ch-sec-services.en.html#s-chroot-bind" rel="subsection" title="5.7.3 Chrooting the name server">
|
|
<link href="ch-sec-services.en.html#s5.8.1" rel="subsection" title="5.8.1 Disabling users from publishing web contents">
|
|
<link href="ch-sec-services.en.html#s5.8.2" rel="subsection" title="5.8.2 Logfiles permissions">
|
|
<link href="ch-sec-services.en.html#s5.8.3" rel="subsection" title="5.8.3 Published web files">
|
|
<link href="ch-sec-services.en.html#s-auto-chroot" rel="subsection" title="5.10.1 Making chrooted environments automatically">
|
|
<link href="ch-sec-services.en.html#s5.13.1" rel="subsection" title="5.13.1 Disabling RPC services completely">
|
|
<link href="ch-sec-services.en.html#s5.13.2" rel="subsection" title="5.13.2 Limiting access to RPC services">
|
|
<link href="ch-sec-services.en.html#s5.14.1" rel="subsection" title="5.14.1 Firewalling the local system">
|
|
<link href="ch-sec-services.en.html#s5.14.2" rel="subsection" title="5.14.2 Using a firewall to protect other systems">
|
|
<link href="ch-sec-services.en.html#s5.14.3" rel="subsection" title="5.14.3 Setting up a firewall">
|
|
<link href="ch-sec-services.en.html#s-firewall-pack" rel="subsection" title="5.14.3.1 Using firewall packages">
|
|
<link href="ch-sec-services.en.html#s5.14.3.2" rel="subsection" title="5.14.3.2 Manual init.d configuration">
|
|
<link href="ch-sec-services.en.html#s5.14.3.3" rel="subsection" title="5.14.3.3 Configuring firewall rules through <code>ifup</code>">
|
|
<link href="ch-sec-services.en.html#s5.14.3.4" rel="subsection" title="5.14.3.4 Testing your firewall configuration">
|
|
<link href="ch7.en.html#s-crossreference" rel="subsection" title="7.2.1 Vulnerability cross references">
|
|
<link href="ch7.en.html#s-cve-compatible" rel="subsection" title="7.2.2 CVE compatibility">
|
|
<link href="ch7.en.html#s7.4.1" rel="subsection" title="7.4.1 Developer's guide to security updates">
|
|
<link href="ch7.en.html#s7.5.1" rel="subsection" title="7.5.1 The current scheme for package signature checks">
|
|
<link href="ch7.en.html#s-apt-0.6" rel="subsection" title="7.5.2 Secure apt">
|
|
<link href="ch7.en.html#s-check-releases" rel="subsection" title="7.5.3 Per distribution release check">
|
|
<link href="ch7.en.html#s7.5.3.1" rel="subsection" title="7.5.3.1 Basic concepts">
|
|
<link href="ch7.en.html#s7.5.3.2" rel="subsection" title="7.5.3.2 <code>Release</code> checksums">
|
|
<link href="ch7.en.html#s7.5.3.3" rel="subsection" title="7.5.3.3 Verification of the <code>Release</code> file">
|
|
<link href="ch7.en.html#s7.5.3.4" rel="subsection" title="7.5.3.4 Check of <code>Release.gpg</code> by <code>apt</code>">
|
|
<link href="ch7.en.html#s7.5.3.5" rel="subsection" title="7.5.3.5 How to tell apt what to trust">
|
|
<link href="ch7.en.html#s7.5.3.6" rel="subsection" title="7.5.3.6 Finding the key for a repository">
|
|
<link href="ch7.en.html#s-secure-apt-add-key" rel="subsection" title="7.5.3.7 Safely adding a key">
|
|
<link href="ch7.en.html#s7.5.3.8" rel="subsection" title="7.5.3.8 Verifying key integrity">
|
|
<link href="ch7.en.html#s7.5.3.9" rel="subsection" title="7.5.3.9 Debian archive key yearly rotation">
|
|
<link href="ch7.en.html#s7.5.3.10" rel="subsection" title="7.5.3.10 Known release checking problems">
|
|
<link href="ch7.en.html#s-manual-check-releases" rel="subsection" title="7.5.3.11 Manual per distribution release check">
|
|
<link href="ch7.en.html#s-check-non-debian-releases" rel="subsection" title="7.5.4 Release check of non Debian sources">
|
|
<link href="ch7.en.html#s-check-pkg-sign" rel="subsection" title="7.5.5 Alternative per-package signing scheme">
|
|
<link href="ch-sec-tools.en.html#s8.5.1" rel="subsection" title="8.5.1 Point to Point tunneling">
|
|
<link href="ch10.en.html#s-track-vulns" rel="subsection" title="10.1.1 Tracking security vulnerabilities">
|
|
<link href="ch10.en.html#s-keep-up-to-date" rel="subsection" title="10.1.2 Continuously update the system">
|
|
<link href="ch10.en.html#s10.1.2.1" rel="subsection" title="10.1.2.1 Manually checking which security updates are available">
|
|
<link href="ch10.en.html#s-update-desktop" rel="subsection" title="10.1.2.2 Checking for updates at the Desktop">
|
|
<link href="ch10.en.html#s-cron-apt" rel="subsection" title="10.1.2.3 Automatically checking for updates with cron-apt">
|
|
<link href="ch10.en.html#s-debsecan" rel="subsection" title="10.1.2.4 Automatically checking for security issues with debsecan">
|
|
<link href="ch10.en.html#s10.1.2.5" rel="subsection" title="10.1.2.5 Other methods for security updates">
|
|
<link href="ch10.en.html#s10.1.3" rel="subsection" title="10.1.3 Avoid using the unstable branch">
|
|
<link href="ch10.en.html#s-security-support-testing" rel="subsection" title="10.1.4 Security support for the testing branch">
|
|
<link href="ch10.en.html#s10.1.5" rel="subsection" title="10.1.5 Automatic updates in a Debian GNU/Linux system">
|
|
<link href="ch10.en.html#s10.3.1" rel="subsection" title="10.3.1 Network based intrusion detection">
|
|
<link href="ch10.en.html#s10.3.2" rel="subsection" title="10.3.2 Host based intrusion detection">
|
|
<link href="ch10.en.html#s-LKM" rel="subsection" title="10.4.1 Loadable Kernel Modules (LKM)">
|
|
<link href="ch10.en.html#s10.4.2" rel="subsection" title="10.4.2 Detecting root-kits">
|
|
<link href="ch10.en.html#s-proactive" rel="subsection" title="10.4.2.1 Proactive defense">
|
|
<link href="ch10.en.html#s10.4.2.2" rel="subsection" title="10.4.2.2 Reactive defense">
|
|
<link href="ch10.en.html#s10.5.1" rel="subsection" title="10.5.1 Building a honeypot">
|
|
<link href="ch-after-compromise.en.html#s11.4.1" rel="subsection" title="11.4.1 Analysis of malware">
|
|
<link href="ch12.en.html#s12.1.1" rel="subsection" title="12.1.1 Is Debian more secure than X?">
|
|
<link href="ch12.en.html#s12.1.1.1" rel="subsection" title="12.1.1.1 Is Debian more secure than other Linux distributions (such as Red Hat, SuSE...)?">
|
|
<link href="ch12.en.html#s12.1.2" rel="subsection" title="12.1.2 There are many Debian bugs in Bugtraq. Does this mean that it is very vulnerable?">
|
|
<link href="ch12.en.html#s12.1.3" rel="subsection" title="12.1.3 Does Debian have any certification related to security?">
|
|
<link href="ch12.en.html#s12.1.4" rel="subsection" title="12.1.4 Are there any hardening programs for Debian?">
|
|
<link href="ch12.en.html#s12.1.5" rel="subsection" title="12.1.5 I want to run XYZ service, which one should I choose?">
|
|
<link href="ch12.en.html#s12.1.6" rel="subsection" title="12.1.6 How can I make service XYZ more secure in Debian?">
|
|
<link href="ch12.en.html#s12.1.7" rel="subsection" title="12.1.7 How can I remove all the banners for services?">
|
|
<link href="ch12.en.html#s12.1.8" rel="subsection" title="12.1.8 Are all Debian packages safe?">
|
|
<link href="ch12.en.html#s12.1.9" rel="subsection" title="12.1.9 Why are some log files/configuration files world-readable, isn't this insecure?">
|
|
<link href="ch12.en.html#s12.1.10" rel="subsection" title="12.1.10 Why does /root/ (or UserX) have 755 permissions?">
|
|
<link href="ch12.en.html#s12.1.11" rel="subsection" title="12.1.11 After installing a grsec/firewall, I started receiving many console messages! How do I remove them?">
|
|
<link href="ch12.en.html#s-faq-os-users" rel="subsection" title="12.1.12 Operating system users and groups">
|
|
<link href="ch12.en.html#s12.1.12.1" rel="subsection" title="12.1.12.1 Are all system users necessary?">
|
|
<link href="ch12.en.html#s12.1.12.2" rel="subsection" title="12.1.12.2 I removed a system user! How can I recover?">
|
|
<link href="ch12.en.html#s12.1.12.3" rel="subsection" title="12.1.12.3 What is the difference between the adm and the staff group?">
|
|
<link href="ch12.en.html#s12.1.13" rel="subsection" title="12.1.13 Why is there a new group when I add a new user? (or Why does Debian give each user one group?)">
|
|
<link href="ch12.en.html#s12.1.14" rel="subsection" title="12.1.14 Questions regarding services and open ports">
|
|
<link href="ch12.en.html#s12.1.14.1" rel="subsection" title="12.1.14.1 Why are all services activated upon installation?">
|
|
<link href="ch12.en.html#s12.1.14.2" rel="subsection" title="12.1.14.2 Can I remove <code>inetd</code>?">
|
|
<link href="ch12.en.html#s12.1.14.3" rel="subsection" title="12.1.14.3 Why do I have port 111 open?">
|
|
<link href="ch12.en.html#s12.1.14.4" rel="subsection" title="12.1.14.4 What use is <code>identd</code> (port 113) for?">
|
|
<link href="ch12.en.html#s12.1.14.5" rel="subsection" title="12.1.14.5 I have services using port 1 and 6, what are they and how can I remove them?">
|
|
<link href="ch12.en.html#s12.1.14.6" rel="subsection" title="12.1.14.6 I found the port XYZ open, can I close it?">
|
|
<link href="ch12.en.html#s12.1.14.7" rel="subsection" title="12.1.14.7 Will removing services from <code>/etc/services</code> help secure my box?">
|
|
<link href="ch12.en.html#s12.1.15" rel="subsection" title="12.1.15 Common security issues">
|
|
<link href="ch12.en.html#s12.1.15.1" rel="subsection" title="12.1.15.1 I have lost my password and cannot access the system!">
|
|
<link href="ch12.en.html#s12.1.16" rel="subsection" title="12.1.16 How do I accomplish setting up a service for my users without giving out shell accounts?">
|
|
<link href="ch12.en.html#s-vulnasses-false-positive" rel="subsection" title="12.2.1 Vulnerability assessment scanner X says my Debian system is vulnerable!">
|
|
<link href="ch12.en.html#s12.2.2" rel="subsection" title="12.2.2 I've seen an attack in my system's logs. Is my system compromised?">
|
|
<link href="ch12.en.html#s12.2.3" rel="subsection" title="12.2.3 I have found strange 'MARK' lines in my logs: Am I compromised?">
|
|
<link href="ch12.en.html#s12.2.4" rel="subsection" title="12.2.4 I found users using 'su' in my logs: Am I compromised?">
|
|
<link href="ch12.en.html#s12.2.5" rel="subsection" title="12.2.5 I have found 'possible SYN flooding' in my logs: Am I under attack?">
|
|
<link href="ch12.en.html#s12.2.6" rel="subsection" title="12.2.6 I have found strange root sessions in my logs: Am I compromised?">
|
|
<link href="ch12.en.html#s12.2.7" rel="subsection" title="12.2.7 I have suffered a break-in, what do I do?">
|
|
<link href="ch12.en.html#s12.2.8" rel="subsection" title="12.2.8 How can I trace an attack?">
|
|
<link href="ch12.en.html#s12.2.9" rel="subsection" title="12.2.9 Program X in Debian is vulnerable, what do I do?">
|
|
<link href="ch12.en.html#s-version-backport" rel="subsection" title="12.2.10 The version number for a package indicates that I am still running a vulnerable version!">
|
|
<link href="ch12.en.html#s12.2.11" rel="subsection" title="12.2.11 Specific software">
|
|
<link href="ch12.en.html#s12.2.11.1" rel="subsection" title="12.2.11.1 <code>proftpd</code> is vulnerable to a Denial of Service attack.">
|
|
<link href="ch12.en.html#s12.2.11.2" rel="subsection" title="12.2.11.2 After installing <code>portsentry</code>, there are a lot of ports open.">
|
|
<link href="ch12.en.html#s12.3.1" rel="subsection" title="12.3.1 What is a Debian Security Advisory (DSA)?">
|
|
<link href="ch12.en.html#s12.3.2" rel="subsection" title="12.3.2 The signature on Debian advisories does not verify correctly!">
|
|
<link href="ch12.en.html#s12.3.3" rel="subsection" title="12.3.3 How is security handled in Debian?">
|
|
<link href="ch12.en.html#s12.3.4" rel="subsection" title="12.3.4 Why are you fiddling with an old version of that package?">
|
|
<link href="ch12.en.html#s12.3.5" rel="subsection" title="12.3.5 What is the policy for a fixed package to appear in security.debian.org?">
|
|
<link href="ch12.en.html#s12.3.6" rel="subsection" title="12.3.6 What does "local (remote)" mean?">
|
|
<link href="ch12.en.html#s12.3.7" rel="subsection" title="12.3.7 The version number for a package indicates that I am still running a vulnerable version!">
|
|
<link href="ch12.en.html#s-sec-unstable" rel="subsection" title="12.3.8 How is security handled for <samp>testing</samp> and <samp>unstable</samp>?">
|
|
<link href="ch12.en.html#s-sec-older" rel="subsection" title="12.3.9 I use an older version of Debian, is it supported by the Debian Security Team?">
|
|
<link href="ch12.en.html#s12.3.10" rel="subsection" title="12.3.10 How does <em>testing</em> get security updates?">
|
|
<link href="ch12.en.html#s12.3.11" rel="subsection" title="12.3.11 How is security handled for contrib and non-free?">
|
|
<link href="ch12.en.html#s12.3.12" rel="subsection" title="12.3.12 Why are there no official mirrors for security.debian.org?">
|
|
<link href="ch12.en.html#s12.3.13" rel="subsection" title="12.3.13 I've seen DSA 100 and DSA 102, now where is DSA 101?">
|
|
<link href="ch12.en.html#s12.3.14" rel="subsection" title="12.3.14 I tried to download a package listed in one of the security advisories, but I got a `file not found' error.">
|
|
<link href="ch12.en.html#s12.3.15" rel="subsection" title="12.3.15 How can I reach the security team?">
|
|
<link href="ch12.en.html#s12.3.16" rel="subsection" title="12.3.16 What difference is there between security@debian.org and debian-security@lists.debian.org?">
|
|
<link href="ch12.en.html#s12.3.17" rel="subsection" title="12.3.17 I guess I found a security problem, what should I do?">
|
|
<link href="ch12.en.html#s12.3.18" rel="subsection" title="12.3.18 How can I contribute to the Debian security team?">
|
|
<link href="ch12.en.html#s12.3.19" rel="subsection" title="12.3.19 Who is the Security Team composed of?">
|
|
<link href="ch12.en.html#s12.3.20" rel="subsection" title="12.3.20 Does the Debian Security team check every new package in Debian?">
|
|
<link href="ch12.en.html#s12.3.21" rel="subsection" title="12.3.21 How much time will it take Debian to fix vulnerability XXXX?">
|
|
<link href="ch12.en.html#s12.3.22" rel="subsection" title="12.3.22 How long will security updates be provided?">
|
|
<link href="ch12.en.html#s12.3.23" rel="subsection" title="12.3.23 How can I check the integrity of packages?">
|
|
<link href="ch12.en.html#s12.3.24" rel="subsection" title="12.3.24 What to do if a random package breaks after a security update?">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.1.1" rel="subsection" title="G.1.1 Using <code>libpam-chroot</code>">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.1.2" rel="subsection" title="G.1.2 Patching the <code>ssh</code> server">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.2.1" rel="subsection" title="G.2.1 Setup a minimal system (the really easy way)">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.2.2" rel="subsection" title="G.2.2 Automatically making the environment (the easy way)">
|
|
<link href="ap-chroot-ssh-env.en.html#sG.2.3" rel="subsection" title="G.2.3 Manually creating the environment (the hard way)">
|
|
<link href="ap-chroot-apache-env.en.html#sH.1.1" rel="subsection" title="H.1.1 Licensing">
|
|
|
|
</head>
|
|
|
|
<body>
|
|
|
|
<p><a name="ch-after-compromise"></a></p>
|
|
<hr>
|
|
|
|
<p>
|
|
[ <a href="ch10.en.html">previous</a> ]
|
|
[ <a href="index.en.html#contents">Contents</a> ]
|
|
[ <a href="ch1.en.html">1</a> ]
|
|
[ <a href="ch2.en.html">2</a> ]
|
|
[ <a href="ch3.en.html">3</a> ]
|
|
[ <a href="ch4.en.html">4</a> ]
|
|
[ <a href="ch-sec-services.en.html">5</a> ]
|
|
[ <a href="ch-automatic-harden.en.html">6</a> ]
|
|
[ <a href="ch7.en.html">7</a> ]
|
|
[ <a href="ch-sec-tools.en.html">8</a> ]
|
|
[ <a href="ch9.en.html">9</a> ]
|
|
[ <a href="ch10.en.html">10</a> ]
|
|
[ 11 ]
|
|
[ <a href="ch12.en.html">12</a> ]
|
|
[ <a href="ap-harden-step.en.html">A</a> ]
|
|
[ <a href="ap-checklist.en.html">B</a> ]
|
|
[ <a href="ap-snort-box.en.html">C</a> ]
|
|
[ <a href="ap-bridge-fw.en.html">D</a> ]
|
|
[ <a href="ap-bind-chuser.en.html">E</a> ]
|
|
[ <a href="ap-fw-security-update.en.html">F</a> ]
|
|
[ <a href="ap-chroot-ssh-env.en.html">G</a> ]
|
|
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
|
|
[ <a href="ch12.en.html">next</a> ]
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h1>
|
|
Securing Debian Manual
|
|
<br>Chapter 11 - After the compromise (incident response)
|
|
</h1>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s11.1"></a>11.1 General behavior</h2>
|
|
|
|
<p>
|
|
If you are physically present when an attack is happening, your first response
|
|
should be to remove the machine from the network by unplugging the network card
|
|
(if this will not adversely affect any business transactions). Disabling the
|
|
network at layer 1 is the only true way to keep the attacker out of the
|
|
compromised box (Phillip Hofmeister's wise advice).
|
|
</p>
|
|
|
|
<p>
|
|
However, some tools installed by rootkits, trojans and, even, a rogue user
|
|
connected through a back door, might be capable of detecting this event and
|
|
react to it. Seeing a <samp>rm -rf /</samp> executed when you unplug the
|
|
network from the system is not really much fun. If you are unwilling to take
|
|
the risk, and you are sure that the system is compromised, you should
|
|
<em>unplug the power cable</em> (all of them if more than one) and cross your
|
|
fingers. This may be extreme but, in fact, will avoid any logic-bomb that the
|
|
intruder might have programmed. In this case, the compromised system
|
|
<em>should not be re-booted</em>. Either the hard disks should be moved to
|
|
another system for analysis, or you should use other media (a CD-ROM) to boot
|
|
the system and analyze it. You should <em>not</em> use Debian's rescue disks
|
|
to boot the system, but you <em>can</em> use the shell provided by the
|
|
installation disks (remember, Alt+F2 will take you to it) to analyze [<a
|
|
href="footnotes.en.html#f73" name="fr73">73</a>] the system.
|
|
</p>
|
|
|
|
<p>
|
|
The most recommended method for recovering a compromised system is to use a
|
|
live-filesystem on CD-ROM with all the tools (and kernel modules) you might
|
|
need to access the compromised system. You can use the
|
|
<code>mkinitrd-cd</code> package to build such a CD-ROM[<a
|
|
href="footnotes.en.html#f74" name="fr74">74</a>]. You might find the <code><a
|
|
href="http://biatchux.dmzs.com/">FIRE</a></code> (previously called Biatchux)
|
|
CD-ROM useful here too, since it's also a live CD-ROM with forensic tools
|
|
useful in these situations. There is not (yet) a Debian-based tool such as
|
|
this, nor an easy way to build the CD-ROM using your own selection of Debian
|
|
packages and <code>mkinitrd-cd</code> (so you'll have to read the documentation
|
|
provided with it to make your own CD-ROMs).
|
|
</p>
|
|
|
|
<p>
|
|
If you really want to fix the compromise quickly, you should remove the
|
|
compromised host from your network and re-install the operating system from
|
|
scratch. Of course, this may not be effective because you will not learn how
|
|
the intruder got root in the first place. For that case, you must check
|
|
everything: firewall, file integrity, log host, log files and so on. For more
|
|
information on what to do following a break-in, see <code><a
|
|
href="http://www.cert.org/tech_tips/root_compromise.html">CERT's Steps for
|
|
Recovering from a UNIX or NT System Compromise</a></code> or SANS's <code><a
|
|
href="http://www.sans.org/reading_room/whitepapers/incident/">Incident Handling
|
|
whitepapers</a></code>.
|
|
</p>
|
|
|
|
<p>
|
|
Some common questions on how to handle a compromised Debian GNU/Linux system
|
|
are also available in <a href="ch12.en.html#s-vulnerable-system">My system is
|
|
vulnerable! (Are you sure?), Section 12.2</a>.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s11.2"></a>11.2 Backing up the system</h2>
|
|
|
|
<p>
|
|
Remember that if you are sure the system has been compromised you cannot trust
|
|
the installed software or any information that it gives back to you.
|
|
Applications might have been trojanized, kernel modules might be installed,
|
|
etc.
|
|
</p>
|
|
|
|
<p>
|
|
The best thing to do is a complete file system backup copy (using
|
|
<code>dd</code>) after booting from a safe medium. Debian GNU/Linux CD-ROMs
|
|
can be handy for this since they provide a shell in console 2 when the
|
|
installation is started (jump to it using Alt+2 and pressing Enter). From this
|
|
shell, backup the information to another host if possible (maybe a network file
|
|
server through NFS/FTP). Then any analysis of the compromise or
|
|
re-installation can be performed while the affected system is offline.
|
|
</p>
|
|
|
|
<p>
|
|
If you are sure that the only compromise is a Trojan kernel module, you can try
|
|
to run the kernel image from the Debian CD-ROM in <em>rescue</em> mode. Make
|
|
sure to startup in <em>single user</em> mode, so no other Trojan processes run
|
|
after the kernel.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s11.3"></a>11.3 Contact your local CERT</h2>
|
|
|
|
<p>
|
|
The CERT (Computer and Emergency Response Team) is an organization that can
|
|
help you recover from a system compromise. There are CERTs worldwide [<a
|
|
href="footnotes.en.html#f75" name="fr75">75</a>] and you should contact your
|
|
local CERT in the event of a security incident which has lead to a system
|
|
compromise. The people at your local CERT can help you recover from it.
|
|
</p>
|
|
|
|
<p>
|
|
Providing your local CERT (or the CERT coordination center) with information on
|
|
the compromise even if you do not seek assistance can also help others since
|
|
the aggregate information of reported incidents is used in order to determine
|
|
if a given vulnerability is in wide spread use, if there is a new worm aloft,
|
|
which new attack tools are being used. This information is used in order to
|
|
provide the Internet community with information on the <code><a
|
|
href="http://www.cert.org/current/">current security incidents
|
|
activity</a></code>, and to publish <code><a
|
|
href="http://www.cert.org/incident_notes/">incident notes</a></code> and even
|
|
<code><a href="http://www.cert.org/advisories/">advisories</a></code>. For
|
|
more detailed information read on how (and why) to report an incident read
|
|
<code><a href="http://www.cert.org/tech_tips/incident_reporting.html">CERT's
|
|
Incident Reporting Guidelines</a></code>.
|
|
</p>
|
|
|
|
<p>
|
|
You can also use less formal mechanisms if you need help for recovering from a
|
|
compromise or want to discuss incident information. This includes the <code><a
|
|
href="http://marc.theaimsgroup.com/?l=incidents">incidents mailing
|
|
list</a></code> and the <code><a
|
|
href="http://marc.theaimsgroup.com/?l=intrusions">Intrusions mailing
|
|
list</a></code>.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h2><a name="s11.4"></a>11.4 Forensic analysis</h2>
|
|
|
|
<p>
|
|
If you wish to gather more information, the <code>tct</code> (The Coroner's
|
|
Toolkit from Dan Farmer and Wietse Venema) package contains utilities which
|
|
perform a <em>post mortem</em> analysis of a system. <code>tct</code> allows
|
|
the user to collect information about deleted files, running processes and
|
|
more. See the included documentation for more information. These same
|
|
utilities and some others can be found in <code><a
|
|
href="http://www.sleuthkit.org/">Sleuthkit and Autopsy</a></code> by Brian
|
|
Carrier, which provides a web front-end for forensic analysis of disk images.
|
|
In Debian you can find both <code>sleuthkit</code> (the tools) and
|
|
<code>autopsy</code> (the graphical front-end).
|
|
</p>
|
|
|
|
<p>
|
|
Remember that forensics analysis should be done always on the backup copy of
|
|
the data, <em>never</em> on the data itself, in case the data is altered during
|
|
analysis and the evidence is lost.
|
|
</p>
|
|
|
|
<p>
|
|
You will find more information on forensic analysis in Dan Farmer's and Wietse
|
|
Venema's <code><a
|
|
href="http://www.porcupine.org/forensics/forensic-discovery/">Forensic
|
|
Discovery</a></code> book (available online), as well as in their <code><a
|
|
href="http://www.porcupine.org/forensics/column.html">Computer Forensics
|
|
Column</a></code> and their <code><a
|
|
href="http://www.porcupine.org/forensics/handouts.html">Computer Forensic
|
|
Analysis Class handouts</a></code>. Brian Carrier's newsletter <code><a
|
|
href="http://www.sleuthkit.org/informer/index.php">The Sleuth Kit
|
|
Informer</a></code> is also a very good resource on forensic analysis tips.
|
|
Finally, the <code><a href="http://www.honeynet.org/misc/chall.html">Honeynet
|
|
Challenges</a></code> are an excellent way to hone your forensic analysis
|
|
skills as they include real attacks against honeypot systems and provide
|
|
challenges that vary from forensic analysis of disks to firewall logs and
|
|
packet captures.
|
|
</p>
|
|
|
|
<p>
|
|
FIXME: This paragraph will hopefully provide more information about forensics
|
|
in a Debian system in the coming future.
|
|
</p>
|
|
|
|
<p>
|
|
FIXME: Talk on how to do a debsums on a stable system with the MD5sums on CD
|
|
and with the recovered file system restored on a separate partition.
|
|
</p>
|
|
|
|
<p>
|
|
FIXME: Add pointers to forensic analysis papers (like the Honeynet's reverse
|
|
challenge or <code><a href="http://staff.washington.edu/dittrich/">David
|
|
Dittrich's papers</a></code>).
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<h3><a name="s11.4.1"></a>11.4.1 Analysis of malware</h3>
|
|
|
|
<p>
|
|
Some other tools that can be used for forensic analysis provided in the Debian
|
|
distribution are:
|
|
</p>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>strace</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
<ul>
|
|
<li>
|
|
<p>
|
|
<code>ltrace</code>.
|
|
</p>
|
|
</li>
|
|
</ul>
|
|
|
|
<p>
|
|
Any of these packages can be used to analyze rogue binaries (such as back
|
|
doors), in order to determine how they work and what they do to the system.
|
|
Some other common tools include <code>ldd</code> (in <code>libc6</code>),
|
|
<code>strings</code> and <code>objdump</code> (both in <code>binutils</code>).
|
|
</p>
|
|
|
|
<p>
|
|
If you try to do forensic analysis with back doors or suspected binaries
|
|
retrieved from compromised systems, you should do so in a secure environment
|
|
(for example in a <code>bochs</code> or <code>xen</code> image or a
|
|
<code>chroot</code>'ed environment using a user with low privileges[<a
|
|
href="footnotes.en.html#f76" name="fr76">76</a>]). Otherwise your own system
|
|
can be back doored/r00ted too!
|
|
</p>
|
|
|
|
<p>
|
|
If you are interested in malware analysis then you should read the <code><a
|
|
href="http://www.porcupine.org/forensics/forensic-discovery/chapter6.html">Malware
|
|
Analysis Basics</a></code> chapter of Dan Farmer's and Wietse Venema's
|
|
forensics book.
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<p>
|
|
[ <a href="ch10.en.html">previous</a> ]
|
|
[ <a href="index.en.html#contents">Contents</a> ]
|
|
[ <a href="ch1.en.html">1</a> ]
|
|
[ <a href="ch2.en.html">2</a> ]
|
|
[ <a href="ch3.en.html">3</a> ]
|
|
[ <a href="ch4.en.html">4</a> ]
|
|
[ <a href="ch-sec-services.en.html">5</a> ]
|
|
[ <a href="ch-automatic-harden.en.html">6</a> ]
|
|
[ <a href="ch7.en.html">7</a> ]
|
|
[ <a href="ch-sec-tools.en.html">8</a> ]
|
|
[ <a href="ch9.en.html">9</a> ]
|
|
[ <a href="ch10.en.html">10</a> ]
|
|
[ 11 ]
|
|
[ <a href="ch12.en.html">12</a> ]
|
|
[ <a href="ap-harden-step.en.html">A</a> ]
|
|
[ <a href="ap-checklist.en.html">B</a> ]
|
|
[ <a href="ap-snort-box.en.html">C</a> ]
|
|
[ <a href="ap-bridge-fw.en.html">D</a> ]
|
|
[ <a href="ap-bind-chuser.en.html">E</a> ]
|
|
[ <a href="ap-fw-security-update.en.html">F</a> ]
|
|
[ <a href="ap-chroot-ssh-env.en.html">G</a> ]
|
|
[ <a href="ap-chroot-apache-env.en.html">H</a> ]
|
|
[ <a href="ch12.en.html">next</a> ]
|
|
</p>
|
|
|
|
<hr>
|
|
|
|
<p>
|
|
Securing Debian Manual
|
|
</p>
|
|
|
|
<address>
|
|
Version: 3.13, Sun, 08 Apr 2012 02:48:09 +0000<br>
|
|
<br>
|
|
Javier Fernández-Sanguino Peña <code><a href="mailto:jfs@debian.org">jfs@debian.org</a></code><br>
|
|
<a href="ch1.en.html#s-authors">Authors, Section 1.1</a><br>
|
|
<br>
|
|
</address>
|
|
<hr>
|
|
|
|
</body>
|
|
|
|
</html>
|
|
|