[Techtalk] Re: User-Mode Linux v. BSD jail
jennyw
jennyw at dangerousideas.com
Fri Mar 7 11:51:02 EST 2003
On Thu, Mar 06, 2003 at 07:09:46PM -0500, Raven Alder wrote:
> If you're wanting to stay on Linux, you might want to look at
> the LIDS kernel patch -- it does a lot of the things that BSD jail does
Yes, I've thought of LIDS. But I remember your travails (from an earlier
post of yours) and thought that might actually be a bit more difficult
than setting up a UML "jail" for the Web server. But I'll look at LIDS
after I setup UML. I figure I can do that at my leisure.
It does add a lot of security features I've always thought should be in
Linux (and every other OS!) though! Out of curiosity, is there a way to
set it up to allow everything but to log everything? That might be a way
to find out what's running on your system before you try to block
things.
> [even more sheepish grin] The really bad part about that was that it
> horked the driver for my network card, so even under the good kernel I
> couldn't get online at first to try and google for help.
That's why I keep a Knoppix CD with me all the time! I sometimes do
things like that, too. ;-)
> On the plus side, everything was eventually made to work
> properly again (took about a day of effort) and I feel a lot more
> confident about my system's security. [grin] If *I* had to go through
> that much pain to get the normal system processes able to do their
> jobs... good luck, attackers.
With UML, LIDS, etc. -- they all isolate the damage a hacker can do, but
they don't necessarily prevent the breakin or provide you info on the
breakin. In my particular situation, the person who broke in started
sending mail from what was probably the web server user. Neither LIDS
nor UML would actually prevent the Web server from being compromised,
just prevent anything else from being compromised. The only thing I
could think of to allow the Web server to send mail even if it's
contained, is to send all mail from the Web server to a program/script
that would check it against the addresses I normally send mail to, and
if more than a couple messages not on that list are being sent, then to
alert me.
I'm not sure I'm going to go that far, but I might. This is mostly
because I still can't figure out how they got into the system ... every
time I look at a possible exploit, I realize that the patch or
workaround was already installed on my system, or that the vulnerability
was a DoS (which also may or may not have been patched on my system; I
haven't checked that yet). Also, BIND (which was installed to avoid the
known exploits) was running chroot. I keep coming back to the Web
server, since it's the most unknown, but I'm still not sure how they got
in. Anyway, I'm just ranting now. More research to follow ...
Jen
_______________________________________________
Techtalk mailing list
Techtalk at linuxchix.org
http://mailman.linuxchix.org/mailman/listinfo/techtalk
More information about the Techtalk
mailing list