> filtered, but that won't stop them. If a cracker wants to spend time rooting
> the firewall I wish them well, at least while they are trying to get root on
> the firewall, they aren't trying to attack other hosts.
This has nothing to do with man pages anymore but as an aside, you're
assuming that he wants to attack other boxes.. what about if he wants to
sit and sniff.. and later collect his goodies? How many admins check their
segments regularly for promisc interfaces (use switches to mitigate risks
please!)? It could be months before someone realises... and by then
they're most probably gone without a trace. Especially if they're looking
for something specific, in which case his strange tcpdump
<big-arse-nasty-filter>|grep combo won't output much at all and he'll
output it to "/dev/pty2345" which won't grow beyond 2k in months etc..
Anyway, he'll need root to put ethx into promisc mode.. Or what if he
wants to modify data going through the firewall for his own purposes with
netsed or similar? Think of how many thousands upon thousands of
applications are poorly coded and will quite happily accept packets
modified in transit.. think online banking, think shopping apps, think
live stock feeds etc... sit there and modify the share price of BHP down
or up by 10% for a day.. and then switch it around the next day.. confuse
the hell out of people and cause them to make silly mistakes.. or fiddle
with the data feed of a large merchant bank you've taken the firewall
of.. hey, you can make money out of this..
Of course we're assuming lots and lots and lots of things here, but you
get the drift..
There are a myriad of scenarious here. Any time an attacker spends on
*any* of your boxes is Bad Karma(tm).
> > Correct. As well as seemingly harmles binaries like "uname" and even the
> > layout of the filesystem.
>
> Removing uname isn't going to buy me much.
> find /proc -exec less {} \;
> /proc is bad, mmmkay.
*grin*
> I've never tried to run a box without proc, I might give it a go.
Bad Karma(tm) if you're using the box as a "multiuser" box.. if you're
just running it as a firewall with no actual users doing stuff on the box
- you should be fine.. just don't try anything exciting.. :)
> You bring up a good point about ntp auth, obviously ntp will be
> filtered, but that won't stop forged packets (and unfortunately,
> neither will some of our routers (yet)). I wonder if someone could
> send bogus ntp packets and shift the time on the firewall?
If you're running the xntpd as a "brodcastclient" (which I've seen a lot
of people do, as they get the router on the segment to be an ntp master
and get it to broadcast).. then yes, very easy to set the time remotely.
However, if you're logging elsewhere, and they change your time, it
doesn't really matter, as the logs you'll have elsewhere will show that
the time looks "strange" (in fact the syslog on the remote
logging box will timestamp it itself and the box that doing the logging
won't offer a timestamp at all)..
However if you're strange/paranoid/etc you can get syslog to "mark" every
x minutes etc.. and gauge it that way.
(note that these aren't ideal situations, but ideas to aid).
//umar.
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
