[Techtalk] Re: User-Mode Linux v. BSD jail

jennyw jennyw at dangerousideas.com
Fri Mar 7 11:51:02 EST 2003


On Thu, Mar 06, 2003 at 07:09:46PM -0500, Raven Alder wrote:
> 	If you're wanting to stay on Linux, you might want to look at
> the LIDS kernel patch -- it does a lot of the things that BSD jail does

Yes, I've thought of LIDS. But I remember your travails (from an earlier 
post of yours) and thought that might actually be a bit more difficult 
than setting up a UML "jail" for the Web server.  But I'll look at LIDS 
after I setup UML.  I figure I can do that at my leisure.

It does add a lot of security features I've always thought should be in 
Linux (and every other OS!) though!  Out of curiosity, is there a way to 
set it up to allow everything but to log everything? That might be a way 
to find out what's running on your system before you try to block 
things.

> [even more sheepish grin]  The really bad part about that was that it
> horked the driver for my network card, so even under the good kernel I
> couldn't get online at first to try and google for help.

That's why I keep a Knoppix CD with me all the time! I sometimes do 
things like that, too. ;-)

> 	On the plus side, everything was eventually made to work
> properly again (took about a day of effort) and I feel a lot more
> confident about my system's security.  [grin]  If *I* had to go through
> that much pain to get the normal system processes able to do their
> jobs... good luck, attackers.

With UML, LIDS, etc. -- they all isolate the damage a hacker can do, but 
they don't necessarily prevent the breakin or provide you info on the 
breakin.  In my particular situation, the person who broke in started 
sending mail from what was probably the web server user.  Neither LIDS 
nor UML would actually prevent the Web server from being compromised, 
just prevent anything else from being compromised.  The only thing I 
could think of to allow the Web server to send mail even if it's 
contained, is to send all mail from the Web server to a program/script 
that would check it against the addresses I normally send mail to, and 
if more than a couple messages not on that list are being sent, then to 
alert me.  

I'm not sure I'm going to go that far, but I might.  This is mostly
because I still can't figure out how they got into the system ...  every
time I look at a possible exploit, I realize that the patch or
workaround was already installed on my system, or that the vulnerability
was a DoS (which also may or may not have been patched on my system; I
haven't checked that yet).  Also, BIND (which was installed to avoid the
known exploits) was running chroot.  I keep coming back to the Web
server, since it's the most unknown, but I'm still not sure how they got
in.  Anyway, I'm just ranting now. More research to follow ...

Jen
_______________________________________________
Techtalk mailing list
Techtalk at linuxchix.org
http://mailman.linuxchix.org/mailman/listinfo/techtalk



More information about the Techtalk mailing list