What to do?

**chusoon** · 05-10-2007

Dear All,

what i need to do when i get back the maintenance from a vendor?

before that the server was maintenance by the vendor, so he can access it from remote.

beside close he account and change root password, what should do?

how can prevent he created "backdoor" to access to server?

thanks

**anomie** · 05-10-2007

If you've already sent it to the vendor it is too late. If you want to be able to trust your system you're going to need to reinstall from scratch.

Next time:

Use a HIDS like aide to capture information on binaries and config files while it is in a trusted state (aide's default configuration is pretty useful). Keep its database on separate media; do not leave it on the server itself. After you get the server back you'll run integrity tests.
Save the output of ps -efww on a normal day. Keep it on separate media. You'll compare this afterwards.
Save the output of netstat -atun on normal day. Same deal as above.
Save the output of iptables -nvL. Same deal as above.
Run rkhunter afterwards.

The aide application will go a long way in catching anomalies. The other steps should be good sanity checks. Even after all this your box can't be 100% trusted until you reinstall from scratch. It all comes down to your level of comfort with the vendor and the importance of your data/services.

**chusoon** · 05-11-2007

Originally Posted by anomie

If you've already sent it to the vendor it is too late. If you want to be able to trust your system you're going to need to reinstall from scratch.

Next time:

Use a HIDS like aide to capture information on binaries and config files while it is in a trusted state (aide's default configuration is pretty useful). Keep its database on separate media; do not leave it on the server itself. After you get the server back you'll run integrity tests.
Save the output of ps -efww on a normal day. Keep it on separate media. You'll compare this afterwards.
Save the output of netstat -atun on normal day. Same deal as above.
Save the output of iptables -nvL. Same deal as above.
Run rkhunter afterwards.

The aide application will go a long way in catching anomalies. The other steps should be good sanity checks. Even after all this your box can't be 100% trusted until you reinstall from scratch. It all comes down to your level of comfort with the vendor and the importance of your data/services.

Thanks anomie,

i don't think i can reinstall from scratch.
I tell what my problem:

be4 i join the company, the server(jz or web server) was maintenance by a vendor. There have two server which one is for intranet, and other for internet access. But now is planning to take back all maintenance service and done it by own.

I cant even shutdown the server and reinstall from scratch. cause there are a lot web application was running and access by user all the world.

some more they don't have backup server for it.

can you provide me some more advise for my problem?

thanks.

**anomie** · 05-11-2007

I have to stick with what I said earlier. If you can't install from scratch, you don't have a trusted box. Your company needs to weigh those potential risks with availability requirements.

Going OT with your latest question...

Some other things your company needs to consider:

A failover box (or at least a cold spare) so that if the primary fails you can re-establish service without having to wait for hardware repairs or replacements.
A regular maintenance window -- a time when it is acceptable for you to make changes / patches.
A testing environment. If you have a cold spare, it could do double-duty as a test box if you're on a tight budget.
Regular backups! C'mon, they should know better.

Fact of life: hard drives fail, PSUs fail, RAM fails, [insert_component_here] can fail.

**chusoon** · 05-12-2007

Originally Posted by anomie

I have to stick with what I said earlier. If you can't install from scratch, you don't have a trusted box. Your company needs to weigh those potential risks with availability requirements.

Going OT with your latest question...

Some other things your company needs to consider:
[list][*] A testing environment. If you have a cold spare, it could do double-duty as a test box if you're on a tight budget.

I will set up soon for testing web application system.

Originally Posted by anomie

I have to stick with what I said earlier. If you can't install from scratch, you don't have a trusted box. Your company needs to weigh those potential risks with availability requirements.

Going OT with your latest question...

Some other things your company needs to consider:

A failover box (or at least a cold spare) so that if the primary fails you can re-establish service without having to wait for hardware repairs or replacements.
A regular maintenance window -- a time when it is acceptable for you to make changes / patches.

do not catch what u mean.

Originally Posted by anomie

I have to stick with what I said earlier. If you can't install from scratch, you don't have a trusted box. Your company needs to weigh those potential risks with availability requirements.

Going OT with your latest question...

Some other things your company needs to consider:

A failover box (or at least a cold spare) so that if the primary fails you can re-establish service without having to wait for hardware repairs or replacements.
A regular maintenance window -- a time when it is acceptable for you to make changes / patches.
A testing environment. If you have a cold spare, it could do double-duty as a test box if you're on a tight budget.
Regular backups! C'mon, they should know better.

Fact of life: hard drives fail, PSUs fail, RAM fails, [insert_component_here] can fail.

Originally Posted by anomie

I have to stick with what I said earlier. If you can't install from scratch, you don't have a trusted box. Your company needs to weigh those potential risks with availability requirements.

Going OT with your latest question...

Some other things your company needs to consider:
[list]

they are scheduling the backup system for database, but all data still save in server it self.

Originally Posted by anomie

I have to stick with what I said earlier. If you can't install from scratch, you don't have a trusted box. Your company needs to weigh those potential risks with availability requirements.

Going OT with your latest question...

Some other things your company needs to consider:

A failover box (or at least a cold spare) so that if the primary fails you can re-establish service without having to wait for hardware repairs or replacements.

mean other server with same setting with existing?

thanks for you reply.

**anomie** · 05-12-2007

Originally Posted by chusoon

mean other server with same setting with existing?

Yes - same hardware, same OS/version, same packages/versions, etc. You can even sync user data (or other volatile data that should be in sync) nightly.

The idea is to minimize downtown when a component fails on your primary server.

**l8forwork** · 05-19-2007

i can not beleive you dont trust your vendor...this is coming from a computer store owner a few years back!!!

All important info (data) should be done on a stand alone system with back up removable hard drive or tape drive and/or encrypted up to a off site storage drive .

pay the vendor ... trust the vendor He is the pro!!!!

Thread Tools

Display

What to do?

trust

Posting Permissions