Honeypots mailing list archives
Re: securing a bridge
From: "Anton A. Chuvakin" <anton () chuvakin org>
Date: Thu, 29 May 2003 11:44:23 -0400 (EDT)
Are there any special things to do to secure a bridge other than the 'traditional' securing of a linux box? I am using a bridge in a GenII
Well, here are some ideas I wanted to play with but didn't have time... First, how do you exploit the bridge - I don't know (kernel bugs, etc), but I can hypothesize what has to happen after whatever exploit is successful. The attacker will need to enable connectivity to the bridge so that he can have a shell session or just to execute a command. Thus, in addition to regular host hardening applied to the honeynet bridge, I was planning to deploy somehting like LIDS to prevent certain commands from working. E.g. 'ifconfig' may be restricted using LIDS, so that it only runs during system startup. Thus, raising an interface starts to become tricky. Similarly, following a lengthy and meticulour process, you can identify some of the things which might be abused on the bridge and lock them with LIDS, so even root cannot run them during normal system operation. At least, lots of user-space componets may be locked in this manner. As for kernel-space, it make sense to prevent attacker's access to LKM and other tricks, again using LIDS (and by disabling modules). More ideas? Best, -- Anton A. Chuvakin, Ph.D., GCI* http://www.chuvakin.org http://www.info-secure.org
Current thread:
- securing a bridge kathya6200 (May 29)
- Re: securing a bridge Anton A. Chuvakin (May 29)
- Re: securing a bridge Hendrik Scholz (May 29)