What group is this? Throwing the combo of Solaris and 2k together makes me think something to do with IT. =) Personally, techrepublic.com is pretty cool. They have some cool articles every once-in-a-while. I did some NT stuff a few months back and did a presentation to WNUG...backing up ACLs, ERDs, DHCP databases, etc etc. The nixen part of it was writing to a smb share on linux box. =) As for security at ASU, heh. They're testing the ASURITE/kerberos stuff with W2k. The goal is to get everything to authenticate in the krb domain. I think the problem they're running into is having w2k clients authenticate against the current nixen krb servers, or it's the other way around. krb is the way to go at asu though, that's for sure. On the nixen machines, don't bother with AFS though...they're going to stop using that in a few years, moving to DFS (not MS DFS), so I've heard. **HANS: We need to get that tour scheduled. =) ** As for automation and s/w comparison for windows machines, you should be able to get SMS through IT for your group. Make sure you get 1.2 and not 2.0 (unless you don't want to support Macs ). We used this for package distro stuff to the windows machines (only nt4 right now), and it worked pretty well...now we just use ghost or LabExpert (LE is *very* cool...one of the coolest damn things i've seen). Registry hacks are still your best friend to make sure each system does things the same (eg, coordinating a/v updates and upgrades). I'll be starting on a nixen s/w comparison deal here in the next few days, hopefully. We essentially run a mirror of redhat, and have all the RPMs local on an NFS export to, well, the world. The problem is that with god-only-knows how many linux boxes in the dept., we have a hard time making sure things are up to date on all of the boxes we administer. The goal is to tie it into bb (we love bb ) to get the list of machines to update, and so on. Central administration rocks. -----Original Message----- From: plug-discuss-admin@lists.PLUG.phoenix.az.us [mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of Kevin Brown Sent: Tuesday, September 26, 2000 12:54 AM To: plug-discuss@lists.PLUG.phoenix.az.us Subject: Re: user tracking Hmm, I start a job in the CC next monday doing sysadmin work for a small group of people at ASU. My job is basically to take over that part of their work so they can devote their time to a program they are writing. Looks like I will be handling Solaris, BSD, linux, NT and 2000. Security is an issue that I will be facing and it's not something I've spent much time worrying about. My systems are behind a cisco router 675 (not that it's very secure, but it does have a changing external ip). Haven't done much even when the router was in bridging mode (configured ipchains to only allow forwarding from the internal network if destination was not on the internal network and to ignore any external requests that weren't initiated internally) Kinda simplistic, but the box was there just to do masquerading for my 9 other systems in the house (NT, Win98, Linux, 2000 server, etc...). Without doing an 'rm -rf *' or 'format c:', what are some good sites or utils for aiding in tightening the hatches on a system (i.e. how-to's, or sites similar to http://www.securityfocus.com). Also I will be working on Automation of the NT systems to make sure they are all running the same software, anyone have any experience with this or have pointers for how. I vaguely recall something for the win95 resource kit doing this, damn wish I hadn't gotten rid of it. > We were going to implement a tool at work to monitor 20-30 various nixen > boxes (DEC, Linux, BSDs [we need more of these ]) using some csh > scripting, ssh, and rsync, and, tie it into our bb stuff. > > I was reading something and came across this link which does almost the same > task that we want, except with perl. > http://perl.oreilly.com/news/sysadmin_0800.html > > The proggies you mentioned below were on the top of our list to monitor. > We've got boxes (tier 3...we're not the admins) that get broken into fairly > often (ASU is a favored target for douche bags, i mean script kiddies). > Usually it's one break-in and we're the admin or they don't get their ether > cable back. EG, last week, a tier-3 system was compromised and flooded an > entire subnet, spiked the router to 100% for a few hours, and pissed off two > TSAs. > > -----Original Message----- > From: plug-discuss-admin@lists.PLUG.phoenix.az.us > [mailto:plug-discuss-admin@lists.PLUG.phoenix.az.us]On Behalf Of > plug@arcticmail.com > Sent: Monday, September 25, 2000 10:59 PM > To: plug-discuss@lists.PLUG.phoenix.az.us > Subject: Re: user tracking > > There are also other items in a standard rootkit. > > You could spend time checking ls, ps, top, sum, yada > yada yada, against your pristine versions on read-only > installation media (after booting into single-user > mode on pristine read-only trusted media (and ONLY > running binaries from said media)), but IMHO your best > bet after a breach/rootkit incident is to take off and > nuke the site from orbit. It's the only way to be sure. > > I'm sure there's a HOWTO on cleaning up your system > after a rootkit "upgrade." Check Google. > > D > > * On Mon, Sep 25, 2000 at 01:23:37PM -0700, Don Harrop wrote: > > Thanks for the responses. I never know about the command "last". Very > > cool. I've already found out most of what I needed. It was some guy over > > in Russia. Those punks! :-) He left some cool utilz on the hard drive > > for me though. A login replacement that logs all usernames and passwords > > and a in.ftpd replacement. That's how he got in in the first place. I > > was running wu-ftpd 2.5.x... I already know there's tons of documented > > exploits with that verison. I've just upgraded to wu-ftpd 2.6 so that > > should slow 'em down a little bit. > > > > Don > > > > On 26 Sep 2000, Bill Warner wrote: > > > > > This information is located in the /etc/shadow file. it is refrenced > > > in the standard unix time thing (seconds sense jan 1 1970) check > > > man shadow for more details > > > > > > Bill Warner > > > > > > > Hey guys. > > > > At login I get a printout of when the last login occured. Where > > > > is that info stored? I want to check out a user on the system but > > > > don't want to log in as them. One of the machines I work with had the > > > > root account compromised. It's just running a few mushes so it's not > that > > > > big of deal but I don't want it happening again. I went through it > with a > > > > fine tooth comb and wouldn't mind it if any of you guys tried to whack > at > > > > it... Lemme know what you find. The IP is 205.216.140.17 > > > > > > > > Don > > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post > to the list quickly and you use Netscape to write mail. > > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss ________________________________________________ See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss