On Thu, Oct 28, 2004 at 04:42:13 -0400, Daniel Guido wrote:
> So far I'm thinking that once I own the box I do this: immediately
> delete all the user accounts except root,
this will probably break some daemons running under low priv accounts -
too bad if you need to keep 'em up. I'd recommend to invalidate the
password for all accounts with one.
> rename the adduser binary to
> something legit-looking yet entirely different
if I have root, i can edit the files myself. if not, adduser will
usually not work anyways.
> and do the same for all
> the shells (bash, csh, etc) installed on the system.
this could indeed help against people using standard shellcode - once it
gets known though, it's a trivial change to make it work again.
> Then, load up a
> kernel module or some other reference monitor type app that watches our
> 'flag' for modifications and restores it if it's modified.
tripwire, don't know about kernel mod.
> Then of
> course, immediately install some auto-update program (yum, apt-get,
> portage, etc) and update all the services running and change their
> configurations slightly to make them more secure (can't turn off
easily said, a lot harder to.
> Last, install ettercap on the owned box to capture and
> report curious traffic going to and from the other servers in-play to
> catch our opponents.
you might want to monitor for listening ports and/or firewall config too
with something and restore to known good when changed.
> If anyone knows some program that watches files like I described please
> let me know, I'd rather not have to code that from scratch.
> Can you think of a better strategy once we own a box?
make it really secure. unfortunately this involves major changes like
installing a kernel with pax and rsbac plus a sufficiently paranoid
policy and replacing everything with versions compiled with stackguard.
if something like that is well done, you can give people a rootshell and
still sleep well.
> Has anyone
> participated in a CTF game before? Any other tips?
no, i am not really interested in breaking boxes or just quick'n'dirty