Attachment #31832 for bug #52878




(see
.Xr chflags 1 )
on every system binary because while this may temporarily protect the
binaries, it prevents a cracker who has broken in from making an
easily detectable change that may result in your security mechanisms not
detecting the cracker at all.
.Pp
System security also pertains to dealing with various forms of attack,
including attacks that attempt to crash or otherwise make a system unusable

user's account.  If an attacker has found a way to break root on a machine,
the attacker may not have a need to install a backdoor.
Many of the root holes found and closed to date involve a considerable amount
of work by the cracker to cleanup after himself, so most crackers do install
backdoors.  This gives you a convenient way to detect the cracker.  Making
it impossible for a cracker to install a backdoor may actually be detrimental
to your security because it will not close off the hole the cracker found to
break in the first place.
.Pp
Security remedies should always be implemented with a multi-layered

way to look for modified files is from another (often centralized)
limited-access system.
Writing your security scripts on the extra-secure limited-access system
makes them mostly invisible to potential crackers, and this is important.
In order to take maximum advantage you generally have to give the
limited-access box significant access to the other machines in the business,
usually either by doing a read-only NFS export of the other machines to the

thought.  Even more importantly, a security administrator should mix it up
a bit - if you use recommendations such as those given by this manual
page verbatim, you give away your methodologies to the prospective
cracker who also has access to this manual page.
.Sh SPECIAL SECTION ON D.O.S. ATTACKS
This section covers Denial of Service attacks.  A DOS attack is typically
a packet attack.  While there isn't much you can do about modern spoofed

keys that give you access to the rest of the system, and you ssh to an
unsecure machine, your keys becomes exposed.  The actual keys themselves are
not exposed, but ssh installs a forwarding port for the duration of your
login and if a cracker has broken root on the unsecure machine he can utilize
that port to use your keys to gain access to any other machine that your
keys unlock.
.Pp

Return to bug 52878

Lines 40-48 Link Here

(-)security.7 (-9 / +9 lines)
40	(see	40	(see
41	.Xr chflags 1 )	41	.Xr chflags 1 )
42	on every system binary because while this may temporarily protect the	42	on every system binary because while this may temporarily protect the
43	binaries, it prevents a hacker who has broken in from making an	43	binaries, it prevents a cracker who has broken in from making an
44	easily detectable change that may result in your security mechanisms not	44	easily detectable change that may result in your security mechanisms not
45	detecting the hacker at all.	45	detecting the cracker at all.
46	.Pp	46	.Pp
47	System security also pertains to dealing with various forms of attack,	47	System security also pertains to dealing with various forms of attack,
48	including attacks that attempt to crash or otherwise make a system unusable	48	including attacks that attempt to crash or otherwise make a system unusable
Lines 103-112 Link Here
103	user's account. If an attacker has found a way to break root on a machine,	103	user's account. If an attacker has found a way to break root on a machine,
104	the attacker may not have a need to install a backdoor.	104	the attacker may not have a need to install a backdoor.
105	Many of the root holes found and closed to date involve a considerable amount	105	Many of the root holes found and closed to date involve a considerable amount
106	of work by the hacker to cleanup after himself, so most hackers do install	106	of work by the cracker to cleanup after himself, so most crackers do install
107	backdoors. This gives you a convenient way to detect the hacker. Making	107	backdoors. This gives you a convenient way to detect the cracker. Making
108	it impossible for a hacker to install a backdoor may actually be detrimental	108	it impossible for a cracker to install a backdoor may actually be detrimental
109	to your security because it will not close off the hole the hacker found to	109	to your security because it will not close off the hole the cracker found to
110	break in the first place.	110	break in the first place.
111	.Pp	111	.Pp
112	Security remedies should always be implemented with a multi-layered	112	Security remedies should always be implemented with a multi-layered
Lines 378-384 Link Here
378	way to look for modified files is from another (often centralized)	378	way to look for modified files is from another (often centralized)
379	limited-access system.	379	limited-access system.
380	Writing your security scripts on the extra-secure limited-access system	380	Writing your security scripts on the extra-secure limited-access system
381	makes them mostly invisible to potential hackers, and this is important.	381	makes them mostly invisible to potential crackers, and this is important.
382	In order to take maximum advantage you generally have to give the	382	In order to take maximum advantage you generally have to give the
383	limited-access box significant access to the other machines in the business,	383	limited-access box significant access to the other machines in the business,
384	usually either by doing a read-only NFS export of the other machines to the	384	usually either by doing a read-only NFS export of the other machines to the
Lines 466-472 Link Here
466	thought. Even more importantly, a security administrator should mix it up	466	thought. Even more importantly, a security administrator should mix it up
467	a bit - if you use recommendations such as those given by this manual	467	a bit - if you use recommendations such as those given by this manual
468	page verbatim, you give away your methodologies to the prospective	468	page verbatim, you give away your methodologies to the prospective
469	hacker who also has access to this manual page.	469	cracker who also has access to this manual page.
470	.Sh SPECIAL SECTION ON D.O.S. ATTACKS	470	.Sh SPECIAL SECTION ON D.O.S. ATTACKS
471	This section covers Denial of Service attacks. A DOS attack is typically	471	This section covers Denial of Service attacks. A DOS attack is typically
472	a packet attack. While there isn't much you can do about modern spoofed	472	a packet attack. While there isn't much you can do about modern spoofed
Lines 633-639 Link Here
633	keys that give you access to the rest of the system, and you ssh to an	633	keys that give you access to the rest of the system, and you ssh to an
634	unsecure machine, your keys becomes exposed. The actual keys themselves are	634	unsecure machine, your keys becomes exposed. The actual keys themselves are
635	not exposed, but ssh installs a forwarding port for the duration of your	635	not exposed, but ssh installs a forwarding port for the duration of your
636	login and if a hacker has broken root on the unsecure machine he can utilize	636	login and if a cracker has broken root on the unsecure machine he can utilize
637	that port to use your keys to gain access to any other machine that your	637	that port to use your keys to gain access to any other machine that your
638	keys unlock.	638	keys unlock.
639	.Pp	639	.Pp