-
April 8th, 2002, 05:29 PM
#21
Well another idea you could do is set quotas on all the partions you need like /tmp etc....
to say 100 mb. But you could put everything in a chrooted enviorment. and as long as you don't include a compiler you should be relativly safe. Chroot enviorments can be broken but sometimes it can be a punk. You may even be able to modify the sytem flags by using rdev. If you know any other ways to set the file system unwritable let me know.
-
April 8th, 2002, 05:31 PM
#22
That's a good point but another thing to realize is, this wouldn't be feasible in a business environment. Most businesses don't care too much about security because they don't know what can be done and therefore, it's always pretty open. Example...the oracle guys come to me and say "We need X number of megs in filesystem Y and we need it to be 0777.". I can preach permissions and whatnot but that gets us nowhere and it ends up being done.
*sigh*
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
-
April 8th, 2002, 05:36 PM
#23
Something else you could do, along with quotas, is just use the automounter to mount the /home directory and make everything else (except /tmp) non-writeable by regular users. This provides a one-stop shop to secure and NIS+ is pretty good about security now.
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
-
April 8th, 2002, 05:51 PM
#24
Another hint: RUN ONLY THE DAEMONS YOU NEED. my FreeBSD 4.3 box only runs SSH and FTP. Anonyous FTP is NOT allowed
-
April 8th, 2002, 05:59 PM
#25
hey ratman2 what sucks is ssh is still hackable depending on version.
i never thought about using automounter. Ill prob try that today.
-
April 10th, 2002, 01:20 AM
#26
Linux linux.. the penguin still glimmering in my eyes...
-{[ Joe ]}- (Joe@nitesecurity.com)
http://www.nitesecurity.com
[shadow]I\'m Just A Soldier In This War Against Ignorance.[/shadow]
-
April 10th, 2002, 06:00 AM
#27
That's a good point but another thing to realize is, this wouldn't be feasible in a business environment. Most businesses don't care too much about security because they don't know what can be done and therefore, it's always pretty open.
Isn't it funny how security implementations suddenly become much more "feasible" when a business has a major break in and it is publicised .
OpenBSD - The proactively secure operating system.
-
April 10th, 2002, 06:39 PM
#28
Another really cool idea is to create a LKM that will "hide" all the files you want. Or make it so you have everything in a chroot enviorment.
-
April 10th, 2002, 11:56 PM
#29
Just now that I'm getting on and off the subject, I feel I need to add something about Security.
Nothing too technical, just some advice:
1) Create a hacker log that executes when connected to the system. The right person will know its a fake. Call it .log or .hacklog or us hackers will know its fake.
2) Change your IP if you have dynamic, so we can't access you as fast.
3) Remember we are hackers, so when messing with us, don't underestimate.
Just some little advice for those starting out on their Linux boxes
-{[ Joe ]}- (Joe@nitesecurity.com)
http://www.nitesecurity.com
[shadow]I\'m Just A Soldier In This War Against Ignorance.[/shadow]
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|