Probably the easiest thing to do, is re-install the OS, and with a new copy
of everything outside of /home. Then mount /home with a few security
enhancing options, including no exec + no-various-other-things-you-see-fit
as required.
It might also be a good idea to mount it under /oldhome ( or something
similar ) , and create a new /home, and selectively copy stuff from /oldhome
as required.
On 10/31/06, Rick Moen <rick at linuxmafia.com> wrote:
>> Quoting Conor Daly (conor.daly_ilug at cod.homelinux.org):
>> > Grr.
> >
> > Due to a weak password on one of the kid's accounts and turning on
> > password authentication in ssh (see the thread on nxserver), our home
> > server got cracked. As far as I can tell, the only thing compromised
> was
> > the particular account.
>> You unfortunately are (almost certainly) in no position to know that.
> Backdoor mechanisms to permit the intruder re-entry are typically
> concealed in a number of places, redundantly. People often find this
> out the hard way, by "expelling" the intruder multiple times, each time
> being puzzled to find him/her returning.
>> > I'm rebuilding the server but I'm just wondering if I'll need to clean
> out
> > all the user accounts too.
>> Er, you should sit down and consider what files can no longer be
> trusted, and which are merely data. All executables and
> libraries (including those in ~/bin directories and such) , all system
> configuration files, and all user dotfiles are suspect and should be
> quarantined: Use the present contents of /etc only for reference during
> your rebuild, and don't let users recycle their former dotfiles. Change
> all shell passwords, enable libpam_cracklib to force use of meaningfully
> difficult passwords only, and don't let the users back in until they've
> been read the riot act about SSHing in from untrustworthy locations and
> using the same authentication tokens on multiple systems.
>> More at: http://www.cert.org/tech_tips/win-UNIX-system_compromise.html>> Read 'tips' articles like
>http://www.debian-administration.org/articles/455 attentively (they have
> some arguably good ideas) but sceptically, since security writings by
> most Unix geeks often gravitate towards gadgetry and excessive
> mechanism, without bothering to be clear on threat models. Mix with
> writings by Marcus J. Ranum and Bruce Schneier, season to taste.
>> --
> Cheers, The genius of you Americans is that you never make
> Rick Moen clear-cut stupid moves, only complicated stupid moves
>rick at linuxmafia.com that make us wonder at the possibility that there may
> be
> something to them that we are missing. --Gamel Abdel
> Nasser
> --
> Irish Linux Users' Group mailing list
> About this list : http://mail.linux.ie/mailman/listinfo/ilug> Who we are : http://www.linux.ie/> Where we are : http://www.linux.ie/map/>
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
