On Thu, 2002-03-28 at 09:06, Erik Mouw wrote: > No, you're not safe at all. A cracker can upload an unmodified mount > program to your firewall, or any other program he likes. Nope, he can't. At least I don't know any way to upload to a read only medium. > You're looking at the wrong place. You are trying to reinforce the base > of the building, while you should start with placing stronger locks on > the front door. IOW: fix userland, We do this periodically. One of my daily tasks is to have a look at CERT, packetstorm, insecure and other places. To find bugs and evtl. available patches. But I can't ENSURE, that: WHORST_CASE: -- A bad guy finds such a bug BEFORE the good guys do, and exploits it -- don't occure. > there shouldn't be unnecessary open > ports on your firewall in the first place. You are trying to protect a > system that already has a malicious root user, while you should try to > prevent getting that cracker root in the first place. There arent. But we need mail, proxy, DNS, ssh. All of them have heavy traffic on the above mentioned sites, what enlarges the possibility of WHORST_CASE. > I'd suggest auditing the userland code on your firewall before you > start hacking and reading some more about firewalls and Unix security. I didn't say that we don't do so. And here explicitely: we do. But my awakening at home showed me: THAT'S NOT ENOUGH. A cracker who found a WHORST_CASE don't need userland. He has the kernel. That's why I want to modify/invalidate some syscalls after boot and before the netlayer comes up. > Kernel hacking has a very steep learning curve, and if you don't > understand what you're doing you can cause more harm than you're trying > to cure. Agree. Knowing myself and my experience in learning tell me: Only by reading sources and docs the curve isn't that steep. This wants an acual task. Which one to choose was my initial question. BTW: The 1'st coice is nearly done. I'm testing it at home right now. > > PS: Resent due to a hint by Ravi. > > Wrong hint. If you don't get an answer, it usually means that you're > question is vague, off topic for this list, or everybody is busy > hacking code. ... or a subject indicating spam ( Ravi's hint ;-) > PS: Hint to solve the malicious user on firewall problem: a halted > linux system without network interfaces taken down still routes > packets... :) (: ... right. Thanks for the reply. Regards Frank -- Kernelnewbies: Help each other learn about the Linux kernel. Archive: http://mail.nl.linux.org/kernelnewbies/ FAQ: http://kernelnewbies.org/faq/
