[rescue] SGI fw_sshd and security
mcguire at neurotica.com
Sun Mar 7 16:03:09 CST 2004
On Mar 7, 2004, at 2:45 PM, Jonathan C. Patschke wrote:
>> I hate to point this out, but generally speaking, someone needs to
>> already own the box to overwrite libwrap.so.
> I am, indeed, aware of that.
I'm sure you are...I didn't mean to sound like I thought you were
stupid or something. :)
> However, on some OSes, particularly IRIX, there have been a -lot- of
> kinda-sorta exploits that let you overwrite local files. On IRIX in
> particular, dylinking security libraries is a Bad Idea. You could
> theoretically overwrite libwrap.so with a trojaned one, and the would
> a lot harder to detect than fudging entries in /etc/hosts.allow.
Well in that case, something like tripwire would be your friend, but
then if the perp could arbitrarily write to root-owned, write-protected
files I suppose that'd be useless too.
At Digex, we had a really great scheme going. We did rdist verify
passes every night, from our proto machines which were as locked-down
as we could make them. Now, if you're familiar with rdist, you know
that in verify mode it sends each file down and then does a
byte-for-byte compare. That'd be a tremendously expensive operation to
perform on, say, six hundred SPARCstations. We made a nice little mod
to rdist in which the MD5 checksum is sent down to the target machine
and verified. I think that may have actually made it into the main
rdist source tree but I'm not sure. It was *cool*.
Dave McGuire "My tummy hurts now, but my soul
Cape Coral, FL feels a little better." -Ed
More information about the rescue