On Tue, Jul 01, 2003 at 10:07:01AM +0800, Jason Lim wrote:
>
> > As Russell Coker points out, the attaccer probably got in trough
-snipp-
> DOH... I just posted saying that in my previous email before reading his
> message! Bah... Russell gets credit for it ;-)
Not easy to say who said that first, as my previous mail took
a day and a half to get troug the list.
> >
> > Mount /tmp with noexec
> > Run a hardened kernel like NSA or Grsecurity.
> > etc.
> >
>
> What would the advantage of mounting /tmp with noexec be??
An attacker can't upload his ptrace or whatever exploit to tmp and
execute it.
A recent automated attack against Apache (1.3 something) failed because
i have /tmp mounted noexec.
Another cool, and hopefully effective restraining of apache and others
that i implemented in iptables yesterday:
# This stops apache from connecting to anything else than imap2
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 143 -d localhost \
-m owner --uid-owner www-data -m state \
--state NEW -j ACCEPT
$IPTABLES -A OUTPUT -m owner --uid-owner www-data -m state \
--state NEW -j REJECT
This requires a custom kernel with ipt_owner as module or static.
>
> Definitely looking into running a hardend kernel now... especially after
> all this crap. Only thing that's been holding me back is the amount of
> work it would entail.....
I run Grsecurity for /proc restrictons, safer chroot, and protection
against kernel exploits like the ptrace bug.
That didn't take too long to get running.
Disclaimer: I have not tested any of this in production,
as i am a student.
--
Frode Haugsgjerd
Norway
