|
-
March 29th, 2002, 01:19 AM
#1
 Securing Linux
I thought id share with yah guys how to help secure an ext2 filesystem like slackware or redhat.
First off after you have your server setup just the way you want do a :
chattr -R +i /
This will set your whole root file system imutable. Not even root can for the creation or modification of a file unless they do a chattr +i FILENAME. Whats really cool is that if you do a ls -l it will still show all of your original file atributes so if you do a chmod a+rwx / then make the file system is imutable . It will show all the files are writtable but you can't do crap unless you set it unmutable.
Whats really crazy is you can rm the chattr command and only allow a certain directory to install that commando to. So unless they know that directory which is writtable and not unmutable they won't be able to install the chattr command so in theroy they wont be able to change any files.
so the command
rm -fR / won't work
have fun and happy hacking
-
March 29th, 2002, 03:12 AM
#2
What a novel idea... While I've long been familiar with the chattr command, I never really gave much thought to setting the entire filesystem immutable.
Is this really even possible? I was under the impression that there were always files that the system had open for reading and writing so that it could perform it's normal tasks. Does linux ignore your command to chattr files that it needs to keep open? That doesn't sound like the linux I know. Linux generally obeys your every command even though you're about to fry your entire filesystem with a stray space in the arguments for 'rm'.
Have you done this on your own system? How well does it work? Wouldn't that affect the boot sequence? Please let me know a little more about your experiences with this.
If it works, it sounds like a great idea for a firewall or something like that that doesn't change often.
-
March 30th, 2002, 09:50 PM
#3
From what ive seen and tested on my own system nothing seems to be writtable.But im mostly using it on my slackware firewall and it works great. and if i need to change something put chattr on a floppy and load it into that directory that you didn't set imutable. As of yet none of my "hacking boxes have not been hacked" by any of my friends or associates.
-
March 30th, 2002, 10:50 PM
#4
Junior Member
Just dropped in to say it was a very interesting idea 
Chris P.
www.firewall.cx
-
April 2nd, 2002, 03:08 AM
#5
And let me say something about *nix here ok guys? When putting your sites up on yer *nix boxes, please please please, dont allow anonymous FTP access or unauthorized telnet proxy usage ok?
This is because, when I hack, I first connect to the site anonymously via FTP. Usually theres a good deal of info I can acquire from the site and its box by just looking and the freaking directory listings.
And I say the Telnet proxy because this. I am connecting to a site. Example.
Microsoft Telnet32.exe
:: o (command to connect to host)
<to> xxxx.xxx.x.xx.
connecting....
Access denied to use the Telnet Proxy.
:: o (command to connect to host)
<to> xxxx.xxx.x.xx. 25
connecting...
...
press any key to continue...
Welcome to Whateversite.com 4.0 Mail
::vrfy guest
vrfying guest complete, 501: <guest@whateversite.com>
You see how much information I gained just by a little anonymous access? Hint hint to all sys admins.
-{[ Joe ]}- (Joe@nitesecurity.com)
http://www.nitesecurity.com
[shadow]I\'m Just A Soldier In This War Against Ignorance.[/shadow]
-
April 2nd, 2002, 03:13 AM
#6
Great idea linuxcomando i'll have to try that some time.
Its not software piracy. I’m just making multiple off site backups.
-
April 2nd, 2002, 07:06 PM
#7
Um Silent why don't you be silent ? What does this have to do with a read only file system? I could give you root password on a
locked unix box and it would still be difficult to screw it up. It can be done but itll take time. So why don't you go back to your windows box and hack away.
-
April 3rd, 2002, 04:28 AM
#8
Listen man, Im giving a little advice on system security, when you go under this thread your supposed to find that, doesnt matter whatever the first post said.
Now, as for the being silent part and telling me to go back to my windows box, you can kiss my ass. If I want to say something about security, are you going to stop me? Thats the problem in this world. People like you telling those giving advice to shut up, and no one gets the information they should have gotten.
This is AO right? Maybe I've got the site wrong, but aren't we supposed to help sys admins and preach about security? Dont answer that. Although I havent been posting as long, I've been here for quite a while, observing, reading, I know what this site has to offer, and I know that my knowledge could be useful. And if someone like you wants to block me from talking, it doesn't intimidate me, nor change my mind about saying what I want to say. I don't know if you know the United State's First Ammendment. Maybe you don't. It's freedom of speach.
-{[ Joe ]}- (Joe@nitesecurity.com)
http://www.nitesecurity.com
[shadow]I\'m Just A Soldier In This War Against Ignorance.[/shadow]
-
April 3rd, 2002, 04:33 AM
#9
Disregarding the flames that are undoubtedly about to start between SilentStalker and LinuxCommando, if you wanna do a quick / dirty securing job, check out the NSA's Secure Linux which you can integrate into your current Linux. I know a lot of people distrust the government when it comes to security, but trust me, sometimes they really do know what they're talking about.
I would post a link to the site, but the server seems to be down right now. Once it's back up, simply go to http://www.nsa.gov and click on the Secure Linux link on the home page and you can read about it and download it.
AJ
-
April 3rd, 2002, 04:49 AM
#10
Here's an update to my last post. The site's back up and here's the lnk:
http://www.nsa.gov/selinux/index.html
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
