> Something I found to be amazingly effective is to use some of
> thier tricks against them. I never knew of chattr until I had
> it used on me. Then I found it in a rootkit script. Doing a
> chattr +i on important binarys and files can be useful. (not
> logs though, the subject line has wandered)
So any script can chattr target binaries to wide open first, and then
attack/replace them. The only really non-alterable binary is one you've
burned onto a CDROM. If you don't modify a production system too often,
a couple of bucks per CD is not too major an expense. Mind you, loading
binaries from a 4-X CDROM is going to suck speedwise, compared to
loading from a fast harddrive.
A few questions...
1) Is there such an animal as a harddrive with an on-off write-protect
*HARDWARE* switch accessable from the outside (backplane) ? If so,
store /bin, /sbin, /etc (etc, etc) on it and writable directories on
2) Has anybody put together a FAQ or HOWTO demonstrating a CDROM-based
3) A variant on a 1) or 2) above might be to have...
- machine 1 (lets call it 192.168.0.2) is a standard system with NFS
or SMB shares. Heavily armour this sytem, and make sure it gives
only read access. It'll also remote-syslogd for its client(s)
- machine 2 (lets call it 192.168.0.3) boots off a floppy or CD or
direct network boot off 192.168.0.2. 192.168.0.3 has read-only
access to 192.168.0.2. The only data it sends to 192.168.0.2 is
syslog data. All writable local user files remain on 192.168.0.3,
and /bin, /sbin, etc, etc are remote mounts on 192.168.0.2. A 100
PCI nic should easily give good "harddrive" speeds.
- 192.168.0.3 uses a second nic to talk to the net. Or maybe the
machines are plugged into a switch/router that isolates the master
machine from the net.
Is it possible to squeeze a network-boot kernel into a 1.44 meg
floppy ? Have I just re-invented .NET for linux <g> ?
Procmail-based spam filters http://www.waltdnes.org/email
Read about the New Apartheid in Canada http://www.waltdnes.org/apartheid2001