Rookit infections: AARRGH!

[Fred]

On Mon, 2005-05-09 at 09:06 -0400, Brian wrote:
> Couple of things come to mind, not as resolutions, but as best practices...
> 
> 1, NEVER allow root access via SSH.  You should have to login as a user, and
> then su - to root, or better yet setup a sudoers file.
> 
> 2, ONLY allow ssh connections from trusted IPs, not the whole world.
> 
> Those 2 things alone will cut your headache factor down by about 80%  

Good suggestions, though (2) would be difficult for me to implement
since I might want to connect from a hotspot or internet cafe
somewhere. 

Still, what I could probably do is implement a scheme where visiting a
particular webpage (and giving proper authentication) would enable that
IP address for ssh. Come to think of it, that's not such a bad idea
after all! That will also allow my users to ssh into from their
locations should they need to.

> If the box has a CDROM, I'd suggest mounting a CD with chkrootkit there, as
> well as copies of ls, lsof, top, (etc).  That way you have a nice read-only
> copy of things that can't be altered.  This makes it easier to remotely
> recover from (and/or detect) such an attack.

I like that idea too, but since these are dedicated servers hosted
elsewhere, I won't be able to do CDROM. However, I could put a cdrom ISO
image (or some other filesystem) on the system, chattr +i it, and simply
mount that by hand when I need to. Better yet, some sort of encrypted
filesystem. Hmmm...

Well, this generated some good ideas, but I could use more. Thanks.

-Fred