Re: [mod-security-users] slightly off-topic

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, Oct 28, 2004 at 04:42:13 -0400, Daniel Guido wrote:
> So far I'm thinking that once I own the box I do this: immediately 
> delete all the user accounts except root,

this will probably break some daemons running under low priv accounts -
too bad if you need to keep 'em up. I'd recommend to invalidate the
password for all accounts with one.

> rename the adduser binary to 
> something legit-looking yet entirely different 

if I have root, i can edit the files myself. if not, adduser will
usually not work anyways.

> and do the same for all 
> the shells (bash, csh, etc) installed on the system.

this could indeed help against people using standard shellcode - once it
gets known though, it's a trivial change to make it work again.

> Then, load up a 
> kernel module or some other reference monitor type app that watches our 
> 'flag' for modifications and restores it if it's modified.  

tripwire, don't know about kernel mod.

> Then of 
> course, immediately install some auto-update program (yum, apt-get, 
> portage, etc) and update all the services running and change their 
> configurations slightly to make them more secure (can't turn off 
> services).  

easily said, a lot harder to.

> Last, install ettercap on the owned box to capture and 
> report curious traffic going to and from the other servers in-play to 
> catch our opponents.

you might want to monitor for listening ports and/or firewall config too
with something and restore to known good when changed.

> If anyone knows some program that watches files like I described please 
> let me know, I'd rather not have to code that from scratch.
> 
> Can you think of a better strategy once we own a box?

make it really secure. unfortunately this involves major changes like
installing a kernel with pax and rsbac plus a sufficiently paranoid
policy and replacing everything with versions compiled with stackguard.
if something like that is well done, you can give people a rootshell and
still sleep well.

> Has anyone 
> participated in a CTF game before?  Any other tips?

no, i am not really interested in breaking boxes or just quick'n'dirty
hardening.

joachim