Useful Security Tools Re: hack lesson?

MonMotha monmotha at indy.rr.com
Sat Jan 12 14:42:14 PST 2002 

Another security thing I've been working with:

We all know the benefits of running services in a chroot jail, but there 
are ways to break out of those (especially if the service has to run as 
root).  What about running the service in a UML and then NATting the 
port on your machine over to the UML?  They break the service in the UML 
and it looks like they have root on your system, but all they have is 
root on the "fake" system that the daemon was running in.

This would seem similar to VPS.

--MonMotha

Warren Togami wrote:

> This may be a good time to point out three useful security tools:
> 
> Tripwire - Maintains an encrypted database of your system files.  Run the
> tripwire checker again later and you will KNOW if a system file was replaced
> or infected.  Unfortunately Tripwire is difficult to setup and maintain, but
> it is mostly foolproof if setup properly.
> 
> RPM Verificiation - RPM systems have a built in method of checking the
> integrity of the files installed by the RPM system. Here is a little script
> that will step through your installed RPM's and tell you what files have
> been changed.  http://www.mplug.org/archive/2001/rpmcheck.sh
> Unfortunately this method of checking is more susceptible to circumvention
> because a hacker or rootkit could just replace your RPM data too.  This
> little script is a quick and easy test, but results should NOT be trusted.
> 
> Virtual Private Servers http://www.solucorp.qc.ca/miscprj/s_context.hc
> This is a NEAT kernel extension that allows you to run processes within
> another security context, a virtual server within your real server.  It is
> possible to make your system files (nearly) hack proof with this method even
> if someone was able to crack root in one of your security contexts, because
> they have NO WAY of escalating their permissions further, and they can't
> modify your system files and binaries.  Virtual security contexts can
> redirect their syslog to the main context, and tripwire can reside in the
> main context.  This means 100% log integrity and tripwire cannot be fooled.
> 
> VPS is perhaps the most secure thing I've seen in Linux, but unfortunately
> it requires far more setup than other tools.  On the bright side I can
> probably run a Debian mini-installation within my Red Hat server, and use
> Debian tools to upgrade the mini-contexts.  The possibilities are cool.
> 
> ----- Original Message -----
> From: "R Scott Belford" <sctinc at mac.com>
> To: "Linux & Unix Advocates & Users" <luau at list.luau.hi.net>
> Sent: Saturday, January 12, 2002 12:39 AM
> Subject: [luau] Re: hack lesson?
> 
> 
> 
>>Thanks for the tips.  None of my service files in /etc/xinetd.d look
>>corrupt.  Everything is off that I want off and on that I want on.  No
>>mysterious new services (assuming ls is not compromised.) :)
>>/etc/xinetd.conf looks fine.  I have found hacked directories before in
>>/dev.  I won't spend much time looking around.  I have another drive and
>>will be sending this to a well convicted hacking friend to  dig
>>through.   If there is something to use, I'll let him find it.
>>
>>scott
>>
> 
> 
> 
> ---
> You are currently subscribed to luau as: monmotha at indy.rr.com
> To unsubscribe send a blank email to $subst('Email.Unsub')
> 
>

More information about the LUAU mailing list