miguel.filipe at gmail
Feb 17, 2005, 7:48 AM
Post #20 of 29
Hi all, I want to "brainstorm" too!
On Mon, 14 Feb 2005 22:33:37 +0100, me <me [at] n-tek> wrote:
> Well the deal more or less is:
> 1) Laptop is turned off: - try to break in without opening it or
> anything so bios password prevents this, laptop boots only from harddisk)
> 2) Laptop is booting: - try to break in (without changing boot order)
> grub pw prevents single user mode (encrypted partitions would prevent
> attack via windows)
> 3) Laptop is running, logged in with my user (member of wheel): -try to
> get root
Well.. this means... you have to be shure that you do not have any
keylogger, or "backdoor" on any command/path/file you use..
such has .bashrc, ssh, LD_LIBRARY_PATH, PATH, PROMPT_COMMAND,aliases..
basically.. if one gets a local admin acount.. one just has to
log&wait to find the root password, or ssh key password, your own
password (for sudo use.. for instance)..
passwords that you use for email, or whatever should be diferent, and
not remarcably similar.... I don't know you your mail client or
webbrowser keeps your saved passwords, even if cripted, the should be
also take care with all setuid apps specially cdrecord, kdesu, and
other grafical config/admin tools...
watch out about your "talks" with the atacker, social engeneering
works pretty damm well...
Also be aware that exposing your personal computer to those
"adventures" means exposing your private keys(gpg, ssh) prefered
passwords, habbits, knowlegdges and personal configs... which is a
information leak that can lead to the breakin of other machines you
mantain... and from there, he might get even more info to get root on
your local machine.
Also be prepared not to log from that machine to any other remotely
important machine.. you might be being logged....
> 4) Laptop is running: -try to break in remotely and get user- or root-access
that means, choose carefully the services/applications that you have running.
every machine you use to do ssh's or other "admin" activity _must_ be
safe, or you will be 0wn3d! :p
Everytime I log to some machine/account that I use for work (I'm a
admin) I must be assured that the machine I'm typing is safe, of even
the logging of the keyboard/network will not compromise..
That means that, you on girlfriend, sister, father, or friend
computer, should never log to user acounts related to your work
without using ssh keys with password.. wich are configured in putty,
in my usb pen... (neat!!)
Well.. be paranoid.. I for once fell that anything is completelly
crackable...its just a matter of time and amount of efford.
Your best bet is to make him quit/desease that attempt. (that means
you've won btw!!)
> Points 3 and 4 are my main concern as 1 and 2 are relatively easy to prevent
> Thx for the infos so far
> Roland, Ryan M wrote:
> >Firstly, this sounds like a thinly veiled attempted to get this list to help
> >you secure your laptop, but since I'm bored ... :)
> >What are the details of the bet? What constitutes 'hacked'? Simply logging
> >in? Or getting root?
> >Also, physical access to the machine is a serious handicap to trying to
> >secure the thing against hacks. Make sure that the BIOS is set to boot from
> >HDD first and only. We don't want him throwing in a CD/floppy/USB key and
> >being able to boot to it. But even this can be overcome if they have
> >physical access by flashing or resetting the BIOS to defaults. If you want
> >an additional layer against that, using encrypted filesystems can help
> >mitigate that.
> >Quicktables may let you get a firewall up without requiring much of an
> >understanding of iptables syntax:
> >I often have an 'interactive', a 'idle' and 'locked' scripts. I run
> >'interactive' and it clears the table, and runs the set that is somewhat
> >open; allowing me to run gnutella, Gaim, IRC, mount network shares, etc. I
> >run 'idle' and it clears the table and closes everything down except my ssh
> >and web server ports. I run 'locked' and it closes down EVERYTHING.
> >Running a nessus scan on the machine is also helpful in making sure that it
> >doesn't have any known network vulnerabilities in either the version or
> >configuration of your software/daemons.
> >And there are many other steps that fall under the 'intrusion detection'
> >category that don't seem to be necessary (for your bet anyway) since you're
> >just blocking against attack, not trying to determine if, when, and how
> >someone got in.
> >Anyway, just a few quick suggestions. Have fun!
> >Ryan Roland
> >Application Developer
> >Information Technology
> >Division of Recreational Sports
> >Indiana University
> >-----Original Message-----
> >From: me [mailto:me [at] n-tek]
> >Sent: Monday, February 14, 2005 15:47
> >To: gentoo-security [at] lists
> >Subject: [gentoo-security] Securing Laptop with Gentoo
> >I have a Laptop wich is running Gentoo with 2.6.10 dev kernel which I
> >would like to make secure (locally/remotely). Thing is that our external
> >IT pro bet that he will hack my machine in no time, locally and remote.
> >Of course I said that he won't be able to do so Smile cos this is gentoo
> >and no color-bitmap distro with a lots of services running by default.
> >(I already read the Security Guide of gentoo and made my best out of it...)
> >I just wanna prove him wrong with his saying "Linux is insecure, Windows
> >Server 2003 is much more secure..." (ok this is a desktop system but
> >it's just a detail Very Happy )
> >I have difficulties with the hardened sources so that is probably not an
> >Because I have a laptop I have 3 different NICs, internal LAN, internal
> >WLAN, pcmcia WLAN, which i use in dhcp an static enviroments. I'm
> >absolutely new to iptables so if someone could give some hints to set it
> >up properly for a changing enviroment i would be thankful. ( I already
> >have it working in the kernel only the rules with changing enviroments
> >is the problem)
> >What I did so far:
> >-Bios Password (had that since ever)
> >-Grub Password (to prevent unauthorized single user mode)
> >-Emerged Cracklib to check for insecure passwords
> >-Emerged chkrootkit (Maybe AIDE or tripwire would also be a good idea)
> >I don't have any special services running or at least I think that. I'm
> >using X with gnome. Apart from that everything should be standard...
> >netstat -an |grep LISTEN gives the following output: (not sure about
> >those listening apps...)
> >unix 2 [ ACC ] STREAM LISTENING 9368
> > /tmp/mapping-ph03n1x
> >unix 2 [ ACC ] STREAM LISTENING 6796
> > /var/run/acpid.socket
> >unix 2 [ ACC ] STREAM LISTENING 9151
> > /tmp/orbit-ph03n1x/linc-23a8-0-747990af24219
> >unix 2 [ ACC ] STREAM LISTENING 10230 /var/run/sdp
> >unix 2 [ ACC ] STREAM LISTENING 9250
> > /tmp/orbit-ph03n1x/linc-23cc-0-3c74524d40482
> >unix 2 [ ACC ] STREAM LISTENING 9450
> > /tmp/orbit-ph03n1x/linc-23e9-0-51420772e669c
> >unix 2 [ ACC ] STREAM LISTENING 9273
> > /tmp/orbit-ph03n1x/linc-23d0-0-234b493cb627
> >unix 2 [ ACC ] STREAM LISTENING 9295
> > /tmp/orbit-ph03n1x/linc-23ce-0-6fd415ea4991b
> >unix 2 [ ACC ] STREAM LISTENING 9312
> > /tmp/orbit-ph03n1x/linc-23d2-0-6fd415eaa17b7
> >unix 2 [ ACC ] STREAM LISTENING 9337
> > /tmp/orbit-ph03n1x/linc-23d6-0-2c6cd1b9c57f0
> >unix 2 [ ACC ] STREAM LISTENING 9481
> > /tmp/orbit-ph03n1x/linc-23eb-0-36888b137b61
> >unix 2 [ ACC ] STREAM LISTENING 9513
> > /tmp/orbit-ph03n1x/linc-23ed-0-2d56a133679c7
> >unix 2 [ ACC ] STREAM LISTENING 9549
> > /tmp/orbit-ph03n1x/linc-23ef-0-2d56a133e0eaa
> >unix 2 [ ACC ] STREAM LISTENING 9576
> > /tmp/orbit-ph03n1x/linc-23f1-0-1efbc33811b7b
> >unix 2 [ ACC ] STREAM LISTENING 9604
> > /tmp/orbit-ph03n1x/linc-23f3-0-1efbc3383485f
> >unix 2 [ ACC ] STREAM LISTENING 8760 /tmp/.gdm_socket
> >unix 2 [ ACC ] STREAM LISTENING 8914
> > /tmp/ssh-slrppa9099/agent.9099
> >unix 2 [ ACC ] STREAM LISTENING 8786 /tmp/.X11-unix/X0
> >unix 2 [ ACC ] STREAM LISTENING 8928
> > /tmp/orbit-ph03n1x/linc-239e-0-64ef23a484ccf
> >unix 2 [ ACC ] STREAM LISTENING 8937
> > /tmp/orbit-ph03n1x/linc-238b-0-1776021e90190
> >unix 2 [ ACC ] STREAM LISTENING 9115
> > /tmp/.ICE-unix/9099
> >unix 2 [ ACC ] STREAM LISTENING 9123
> > /tmp/keyring-z2lvfy/socket
> >unix 2 [ ACC ] STREAM LISTENING 9132
> > /tmp/orbit-ph03n1x/linc-23a6-0-5b616fb4ba76e
> >unix 2 [ ACC ] STREAM LISTENING 9925
> > /tmp/orbit-ph03n1x/linc-242d-0-5ed286a6e3a73
> >Would be nice if some of you guys could point me to the main mistakes
> >someone unexperienced like me could make so I can fix that up or just
> >share your knowledge and experiences
> >I would also like to run snort on my laptop I think it could make sense,
> >don't you?
> >Whatever you have for me just shoot...
> >gentoo-security [at] gentoo mailing list
> gentoo-security [at] gentoo mailing list
Miguel Sousa Filipe
gentoo-security [at] gentoo mailing list