” Backdoors are by far one of the worst nightmares of many
system and network administrators. We all know our networks and
hosts will at some point be penetrated, and if we’ve done our job
right we should be able to detect that penetration. However, one
problem always rears it’s ugly head; do we format the drive,
reinstall from trusted media, then patch the system, configure it,
and restore data from backups; or do we just try to patch the
system up and remove any surprises the attacker may have left. In
some cases it is clear cut, for a users workstation with most data
stored centrally, rebuilding the system is far faster then trying
to fix it. On the other hand what if you have a production email
server handling incoming email for 10,000 people and no backup
machine to switch to?”
“Like any security problem it’s best to understand it
completely, which means learning how an attacker can place
backdoors on a system. Working from this point it’s relatively
simple to devise defenses. Because of the complexity in most UNIX
systems (network daemons, hundreds of installed programs, etc.)
there are many methods and places to squirrel away backdoors.
Basically the attacker needs to have some form of network access to
the machine, i.e. a telnet account or the ability to send ICMP
packets, and compromised software on the machine, i.e. a setuid
shell hidden in their home directory, or a trojaned login
binary….”
“In UNIX….there are hundreds of hiding places to put your
backdoors and trojans in. The best way to defend against them is to
reduce the complexity of the system. For example each server
should have one primary function, i.e. DNS, SMTP, POP, WWW, and so
on. Remove any unneeded software, especially anything that uses
setuid or setgid binaries. If possible disable things such as
kernel modules, and compile a static kernel. The chance to save 50k
of memory by having the tape drive support compiled in as a module
generally isn’t worth the bother. Use multiple layers of security,
for example have a firewall that blocks all outgoing packets except
for certain kinds, and possibly logs all the packets during off
hours. This way if an attacker installs software that “dials” home
(for example by sending out an xterm) the firewall might block it,
or at least log it. Install and use software like Tripwire
properly, have a set of valid checksums on trusted removable media.
Make sure you have emergency boot media for your system, and
preferably a set of recovery tools to go with it.”