Hi all, I'm a sysop, which needs to become confirm with kernel hacking. The reasons and my first questions come below. We had a good friend (????? cracker ??????) in our linux firewall a month ago. This was a machine running a nearly standard Slackware7.1. So I built an LFS system with some modified programs. I thought with a root mounted ro and a modified mount program I'm on a quite safe side. I've modified iptables-restore, and removed all ( for a cracker ) useable programs from the system. ... ... and last weekend I awoke. I wrote a small daemon, which did nothing than listen on a port and containing a ( buffer overflow ) hole waiting to be exploited. Now I saw how easy it is for a cracker to use the syscalls I disabled in userspce directly. Ok, I think I could change the system calls. There is a great example for the good guys on kernelnewbies.org, and a good example for the bad guys on phrack.org how to do this. My 1'st possible choice for the first steps ( more important ): Make a module contanining mount with remount filtering or disable mount at all. This module should disable delete_module too -- of course. But arrgh, once loaded this module will avoid doing system maintance. So I'll need an ADDITIONAL system call to enable this ( best fit employing some asymetric crypting ). In short a) writing a module which modifies and adds further system calls. Furtheron we have a webserver and a mailserver behind our firewall. I'd like to make them DOS secure employing a SYNCOOKIE firewall. Such a piece of soft is available for ipchains, and on the netfilter website is some template for a contrack-module available. My 2'nd possible choice for the first steps ( less important ): Writing a contrack module for iptables, which copies ( or uses ) linux's SYNCOOKIE support ( which secures only the localhost ). In short b) writing a contrack module. What would you guys suggest me to begin with? My kernel hacking expiriences are: 14 days or so I'm reading the kernel sources, studying kernel docs and following the kernel mailing lists -- thus nearly ZERO. Thanks in advance and GREEEEEEEEEEEEEEEEEETINGS Frank PS: Resent due to a hint by Ravi. -- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/
