From owner-freebsd-security@FreeBSD.ORG Mon Jan 14 20:33:53 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1AC7316A417 for ; Mon, 14 Jan 2008 20:33:53 +0000 (UTC) (envelope-from Klaus.Steden@thomson.net) Received: from dmzraw5.extranet.tce.com (dmzraw5.extranet.tce.com [157.254.234.142]) by mx1.freebsd.org (Postfix) with ESMTP id A976613C4D3 for ; Mon, 14 Jan 2008 20:33:52 +0000 (UTC) (envelope-from Klaus.Steden@thomson.net) Received: from indyvss1.am.thmulti.com (unknown [157.254.92.60]) by dmzraw5.extranet.tce.com (Postfix) with ESMTP id 569ED23B804; Mon, 14 Jan 2008 20:00:54 +0000 (GMT) Received: from localhost (localhost [127.0.0.1]) by indyvss1.am.thmulti.com (Postfix) with ESMTP id 217221179F7; Mon, 14 Jan 2008 20:00:54 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at thomson.net Received: from indyvss1.am.thmulti.com ([127.0.0.1]) by localhost (indyvss1.am.thmulti.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id gMlb0OI11A+A; Mon, 14 Jan 2008 20:00:53 +0000 (GMT) Received: from INDYSMAILCS04.am.thmulti.com (indyasmtp.am.thmulti.com [157.254.96.12]) by indyvss1.am.thmulti.com (Postfix) with ESMTP id 2E9771176CF; Mon, 14 Jan 2008 20:00:53 +0000 (GMT) Received: from INDYSMAILBH04.am.thmulti.com ([157.254.96.14]) by INDYSMAILCS04.am.thmulti.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 14 Jan 2008 15:00:53 -0500 Received: from CAMASMAILBH01.am.thmulti.com ([10.15.1.119]) by INDYSMAILBH04.am.thmulti.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 14 Jan 2008 15:00:53 -0500 Received: from BRBKSMAIL04.am.thmulti.com ([10.15.28.49]) by CAMASMAILBH01.am.thmulti.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 14 Jan 2008 12:00:51 -0800 Received: from 10.15.192.56 ([10.15.192.56]) by BRBKSMAIL04.am.thmulti.com ([10.15.28.49]) with Microsoft Exchange Server HTTP-DAV ; Mon, 14 Jan 2008 20:00:50 +0000 User-Agent: Microsoft-Entourage/11.3.3.061214 Date: Mon, 14 Jan 2008 12:00:39 -0800 From: Klaus Steden To: Dan Lukes , freebsd security Message-ID: Thread-Topic: Anti-Rootkit app Thread-Index: AchW6CJsYMVObsLbEdyQ2QAX8sXztA== In-Reply-To: <478BB3DA.5070302@obluda.cz> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-OriginalArrivalTime: 14 Jan 2008 20:00:51.0274 (UTC) FILETIME=[29BD6AA0:01C856E8] Cc: Subject: Re: Anti-Rootkit app X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jan 2008 20:33:53 -0000 Hi Dan, Good security is usually a comprehensive strategy, rather than hoping for a one-size-fits-all-magic-bullet solution. Combine a coherent packet filter with strong passwords, a competent IDS, BSD securelevels, and a file system integrity checker, and you've got a pretty solid strategy for dealing with most of the bad things that show up on the Internet. This, of course, is all wasted if you leave your system unprotected physically, but I digress ... A common strategy with anti-rootkit software is to keep a copy of your signatures elsewhere -- either on removable media, or a remote system; you can use secure hashes to verify the integrity of the local signatures against your known good copy to ensure that the list hasn't been tampered with, and then verify the important parts of your OS against said list. A lot of computer intruders are dumb, and more important, lazy. Truly motivated and gifted crackers are a rarity, and if you get attacked by one of them, it can be difficult to deal with. However, good preventative security measures will keep the small fry and script kiddies at bay. Just my two cents. Klaus On 1/14/08 11:11 AM, "Dan Lukes" did etch on stone tablets: >>> I need to install an anti-rootkid > > If I understand correctly, an intruder need to be superuser to be able > to install a rootkit. > > If our intruders has superuser privileges, they can tamper any > anti-rootkit. > > Is the main reason to install anti-rootkit we count the intruders are > so dumb to look for one of port's anti-rootkit package before they do > it's dirt work ? > > Or I miss something important ? > > Dan > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"