[CentOS] Unknown rootkit causes compromised servers

Tue Jan 29 19:19:08 UTC 2008
Stephen John Smoogen <smooge at gmail.com>

On Jan 28, 2008 9:19 PM, Michael A. Peters <mpeters at mac.com> wrote:
> Frank Cox wrote:
> > On Mon, 28 Jan 2008 22:36:03 -0500
> > Jim Perrin <jperrin at gmail.com> wrote:
> >
> >> And above all, because I know many admins slack on this, and I'm
> >> guilty of it as well if it's not forced... ROTATE your passwords
> >> periodically
> >
> > I have never understood this.  If I have a good, strong password that nobody
> > knows, how is changing it to another one an improvement over what I already
> > have?
> >
>
> I agree with you.
>
> A company I worked for required rotation of passwords and strong
> passwords. We fired one of the sysadmins because he had a problem coming
> in to work late.
>
> Take a wild guess at what we found taped to the bottom of his keyboard.
> Requiring password rotation increases the occurrences of that issue.
>

I am sorry but that is a logical fallacy if I have ever seen. I have
seen lots of people who come in on time and stay late who have
passwords taped to the bottom of their keyboards... and they never had
to change their passwords. And I know lots of people who do not do
this who have to change their passwords every 90 days.

Rotating passwords comes from the following theories:

1) As in cryptography, you must assume that the attacker knows
everything you know and probably something more.
2) You do not know where the attacker is.

Thus for a networked system or a system with multiple users, you must
assume that within a certain amount of time, your hashes have been
seen. Then you multiply it by the amount of time it would take to
'crack' that hash with precomputed hash tables and/or multi-system
hacks. With the price of a cluster of 10,000 botted computers being
pretty low.. you can assume that multi-system hacks are possible. Then
you look at the value of your data. From that you can come up with how
long before your password needs to be rotated.

Using 2-3 factor authentication lowers this risk, and using 1 time
passwords also does. However the cost of doing so in training,
materials, etc may be more than what you wish to look for.

> Rotating passwords IMHO should only be done when their is a possibility
> that the shadow file has been compromised or an employee with root
> access is dismissed on bad terms.
>
> A better thing to do is disable remote root login, be extremely careful
> with sudo (it should not be allowed to spawn a shell for any user), and
> log to a log server rather than local filesystem.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"