Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Re: securing a bridge

From: "Anton A. Chuvakin" <anton () chuvakin org>
Date: Thu, 29 May 2003 11:44:23 -0400 (EDT)
Are there any special things to do to secure a bridge other than
the 'traditional' securing of a linux box?  I am using a bridge in a GenII

Well, here are some ideas I wanted to play with but didn't have time...

First, how do you exploit the bridge - I don't know (kernel bugs, etc),
but I can hypothesize what has to happen after whatever exploit is
successful. The attacker will need to enable connectivity to the bridge so
that he can have a shell session or just to execute a command. Thus, in
addition to regular host hardening applied to the honeynet bridge, I was
planning to deploy somehting like LIDS to prevent certain commands from
working.

E.g. 'ifconfig' may be restricted using LIDS, so that it only runs during
system startup. Thus, raising an interface starts to become tricky.
Similarly, following a lengthy and meticulour process, you can identify
some of the things which might be abused on the bridge and lock them with
LIDS, so even root cannot run them during normal system operation. At
least, lots of user-space componets may be locked in this manner.  As for
kernel-space, it make sense to prevent attacker's access to LKM and other
tricks, again using LIDS (and by disabling modules).

More ideas?

Best,
-- 
  Anton A. Chuvakin, Ph.D., GCI*
     http://www.chuvakin.org
   http://www.info-secure.org
Previous By Date Next
Previous By Thread Next

Current thread: