mod-security-users

[mod-security-users] slightly off-topic

[Daniel G. <inf...@sp...>]

Hey list, this is slightly off topic but I thought you might be a great 
crowd to ask this.

I'm participating in a CTF war game pretty soon and I'm trying to come 
up with strategies to make sure that once I own a box, no one else can 
break back in and remove my "flag" from the root home folder.  Every 
team is given a file that they have to place in the /root folder and 
keep there to score points.

So far I'm thinking that once I own the box I do this: immediately 
delete all the user accounts except root, rename the adduser binary to 
something legit-looking yet entirely different and do the same for all 
the shells (bash, csh, etc) installed on the system.  Then, load up a 
kernel module or some other reference monitor type app that watches our 
'flag' for modifications and restores it if it's modified.  Then of 
course, immediately install some auto-update program (yum, apt-get, 
portage, etc) and update all the services running and change their 
configurations slightly to make them more secure (can't turn off 
services).  Last, install ettercap on the owned box to capture and 
report curious traffic going to and from the other servers in-play to 
catch our opponents.

If anyone knows some program that watches files like I described please 
let me know, I'd rather not have to code that from scratch.

Can you think of a better strategy once we own a box?  Has anyone 
participated in a CTF game before?  Any other tips?

Thanks for providing so much good help with mod_security, I've been 
using it for abour 9 months now on both my Windows and Linux server and 
it works great.

Dan

Re: [mod-security-users] slightly off-topic

[Joachim R. <jr...@we...>]

On Thu, Oct 28, 2004 at 04:42:13 -0400, Daniel Guido wrote:
> So far I'm thinking that once I own the box I do this: immediately 
> delete all the user accounts except root,

this will probably break some daemons running under low priv accounts -
too bad if you need to keep 'em up. I'd recommend to invalidate the
password for all accounts with one.

> rename the adduser binary to 
> something legit-looking yet entirely different 

if I have root, i can edit the files myself. if not, adduser will
usually not work anyways.

> and do the same for all 
> the shells (bash, csh, etc) installed on the system.

this could indeed help against people using standard shellcode - once it
gets known though, it's a trivial change to make it work again.

> Then, load up a 
> kernel module or some other reference monitor type app that watches our 
> 'flag' for modifications and restores it if it's modified.  

tripwire, don't know about kernel mod.

> Then of 
> course, immediately install some auto-update program (yum, apt-get, 
> portage, etc) and update all the services running and change their 
> configurations slightly to make them more secure (can't turn off 
> services).  

easily said, a lot harder to.

> Last, install ettercap on the owned box to capture and 
> report curious traffic going to and from the other servers in-play to 
> catch our opponents.

you might want to monitor for listening ports and/or firewall config too
with something and restore to known good when changed.

> If anyone knows some program that watches files like I described please 
> let me know, I'd rather not have to code that from scratch.
> 
> Can you think of a better strategy once we own a box?

make it really secure. unfortunately this involves major changes like
installing a kernel with pax and rsbac plus a sufficiently paranoid
policy and replacing everything with versions compiled with stackguard.
if something like that is well done, you can give people a rootshell and
still sleep well.

> Has anyone 
> participated in a CTF game before?  Any other tips?

no, i am not really interested in breaking boxes or just quick'n'dirty
hardening.
 
joachim