On Thu, Mar 28, 2002 at 06:19:08AM +0100, Frank Schaefer wrote: > We had a good friend (????? cracker ??????) in our linux firewall a > month ago. This was a machine running a nearly standard Slackware7.1. So > I built an LFS system with some modified programs. > I thought with a root mounted ro and a modified mount program I'm on a > quite safe side. I've modified iptables-restore, and removed all ( for a > cracker ) useable programs from the system. ... > ... and last weekend I awoke. No, you're not safe at all. A cracker can upload an unmodified mount program to your firewall, or any other program he likes. > I wrote a small daemon, which did nothing than listen on a port and > containing a ( buffer overflow ) hole waiting to be exploited. Now I saw > how easy it is for a cracker to use the syscalls I disabled in userspce > directly. Ok, I think I could change the system calls. There is a great > example for the good guys on kernelnewbies.org, and a good example for > the bad guys on phrack.org how to do this. > > My 1'st possible choice for the first steps ( more important ): > > Make a module contanining mount with remount filtering or disable mount > at all. This module should disable delete_module too -- of course. > But arrgh, once loaded this module will avoid doing system maintance. So > I'll need an ADDITIONAL system call to enable this ( best fit employing > some asymetric crypting ). You're looking at the wrong place. You are trying to reinforce the base of the building, while you should start with placing stronger locks on the front door. IOW: fix userland, there shouldn't be unnecessary open ports on your firewall in the first place. You are trying to protect a system that already has a malicious root user, while you should try to prevent getting that cracker root in the first place. > In short a) > writing a module which modifies and adds further system calls. This has been said a thousand times on this list: adding system calls in a module is not safe and arch specific. > Furtheron we have a webserver and a mailserver behind our firewall. I'd > like to make them DOS secure employing a SYNCOOKIE firewall. Such a > piece of soft is available for ipchains, and on the netfilter website is > some template for a contrack-module available. > > My 2'nd possible choice for the first steps ( less important ): > > Writing a contrack module for iptables, which copies ( or uses ) linux's > SYNCOOKIE support ( which secures only the localhost ). > > In short b) > writing a contrack module. I'd think that enabling syncookies on the web and mailserver already does the trick, but then again: I'm no networking expert. > What would you guys suggest me to begin with? My kernel hacking > expiriences are: 14 days or so I'm reading the kernel sources, studying > kernel docs and following the kernel mailing lists -- thus nearly ZERO. I'd suggest auditing the userland code on your firewall before you start hacking and reading some more about firewalls and Unix security. Kernel hacking has a very steep learning curve, and if you don't understand what you're doing you can cause more harm than you're trying to cure. > PS: Resent due to a hint by Ravi. Wrong hint. If you don't get an answer, it usually means that you're question is vague, off topic for this list, or everybody is busy hacking code. Erik PS: Hint to solve the malicious user on firewall problem: a halted linux system without network interfaces taken down still routes packets... :) -- J.A.K. (Erik) Mouw, Information and Communication Theory Group, Faculty of Information Technology and Systems, Delft University of Technology, PO BOX 5031, 2600 GA Delft, The Netherlands Phone: +31-15-2783635 Fax: +31-15-2781843 Email: J.A.K.Mouw@its.tudelft.nl WWW: http://www-ict.its.tudelft.nl/~erik/ -- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/
