Thanks from: Test with Chkrootkit

Scot L. Harris webid at cfl.rr.com
Mon Jul 26 12:44:39 UTC 2004 

On Sun, 2004-07-25 at 23:21, Norman Nunn wrote:
> Scot, thanks to you and others on this.  
> 
> I now think my system is actually clean.  The activity on this mail list
> on security issues in general has been a good learning experience and,
> as a result, I have added logsentry and portsentry to my system for
> protection and notifications.  I took the suggestion and setup the
> aliases to send root's messages to me.  
> 
> I have also setup chkrootkit to run nightly and mail me the output.  My
> system has a Linksys router as a firewall, and the mail list traffic on
> that subject prompts me to reconsider implementing iptable.  The router
> "incoming log" shows allot of attempts, and I "assume" from Portsentry
> input to the logs, that nothing unwanted gets through the router.  There
> is that word again.    
> 
> I also, used the mail list input on ClamAV, and gave it a try.  I am
> very careful about what I down load but it identifed a few potential
> viruses on unimportant files, not word or mail files.  I have removed
> them without any consequences, and plan to setup clamd as a protection
> notification from future viruses.  Freshclam is setup to refresh
> nightly, and I will consider running "clamscan -r -i" nightly and mail
> the output for root to me.
> 
> I may be going overboard.
> 
> Thanks again
> Norm  

iptables is still a good idea.  If by some chance a way through the
linksys is found iptables can act as a second line defense.  It also
gives you a single place to specify what ports are open on the system to
the network.  Particularly important if you have other systems on the
local LAN which could potentially be used as an attack vector.  In other
words, don't blindly trust everything on your LAN segment.

Of course as has been pointed out if you are cutting any ports through
your firewall your only protection at that point is good
passwords/authentication and patching any known exploits through that
service as quickly as possible.  The IDS stuff you are doing should let
you know if something odd is going on, hopefully before a hole is found.

You may have already implemented it but another IDS type package that
can be very useful is tripwire.  Once it is setup, changes to any files
being monitored by tripwire will be reported to you.  

A little paranoia is good, a lot can be even better! :)
-- 
Scot L. Harris
webid at cfl.rr.com

Never play pool with anyone named "Fats".

More information about the users mailing list