PID=0 and other newbie questions

Hi,

I am a newbie Linux user trying to run a pet server to learn more about the
system, do some Perl, etc. I read that when a system has been hacked, the
villain appears under root, PID of ZERO.

My questions:

Is PID 0 even legal?

Is this a good way to know that some bad dude is rooting my system? Any
other ways?

In theory, it should be easy to do a Perl daemon that checks for PID of zero
every minute or so and shuts down when it does register the process ID.
Is this reasonable? Anyone is doing that?

----------------------------------------------------

Next, IPTABLES. Should I allow the broadcast address of 255.255.255.255? It
fails every time the devices on my home net try to talk, but everything
still works. I run a pretty tight script, and I would not want to punch any
unnecessary holes, especially if the network seams to get by. What do you
think about allowing the broadcast address? Good? Bad?

----------------------------------------------------

An unrelated question, but still about Linux (since I am here anyway)
How do you guys clean your logs in /var/logs?
I hacked together a script that cleans logs after they reach a certain size,
but I thought there would be a more elegant way that comes with the OS
itself.

Thanks.

--
Digitizer
New York City

In article <EIGic.16147$nN1.13747@fe10.usenetserver.com> (Sat, 24 Apr 2004
23:59:41 -0400), Andrei wrote:

> root, PID of ZERO.

root is UID=0.

> Is PID 0 even legal?

No. init has PID=1

You've confused UID and PID, and you haven't mentioned PPID or PGID.

digitizer@killthis.moon1000.com said:
>Next, IPTABLES. Should I allow the broadcast address of 255.255.255.255? It
>fails every time the devices on my home net try to talk, but everything
>still works.

Should you allow broadcast of what from where to where?

For a typical intranet situation, broadcast might be used for DHCP, but
I guess you're not using that. From Internet to your machine I don't see
a valid reason for accepting broadcast messages (but then, I don't know
what you're running..). From an intranet to the Internet I don't see good
reasons for broadcast, either. But then, there would be much less guessing
if you told what broadcast got blocked. The question is not actually
"should I allow broadcast" but
"is the service using this broadcast needed, and how to turn it off if not"

>An unrelated question, but still about Linux (since I am here anyway)
>How do you guys clean your logs in /var/logs?
>I hacked together a script that cleans logs after they reach a certain size,
>but I thought there would be a more elegant way that comes with the OS
>itself.

Depending on your distribution there could be pre-existing scripts run
by cron at regular intervals. Cleaning by size is somewhat inelegant; it
might allow an intruder to just generate enough crap to your logs that
you rotate all relevant traces out -- but then, cleaning by time allows
filling filesystems with excessive logging, so you'll have to make a
design decision.

As for tools for log rotation, on my system (RH 9.0) there's a program
called "logrotate" that has rather flexible ways to determine what to
rotate, at what intervals, and how many old files to store.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Juha Laiho wrote:

> For a typical intranet situation, broadcast might be used for DHCP, but
> I guess you're not using that. From Internet to your machine I don't see
> a valid reason for accepting broadcast messages (but then, I don't know
> what you're running..). From an intranet to the Internet I don't see good
> reasons for broadcast, either. But then, there would be much less guessing
> if you told what broadcast got blocked. The question is not actually
> "should I allow broadcast" but
> "is the service using this broadcast needed, and how to turn it off if
> not"

Sorry, you deserve some clarification. The broadcasts are coming from my
Linksys router - I have a Win2K-WinXP-Fedora setup. DHCP IS used, with the
server being my router. I didn't even think of DHCP! On the other hand, the
router has no problem assigning IP's on my network. So should I let things
be unchanged?
--
Digitizer