Mailing List Archive

Encrypted filesystem would be good :)
Otherwise he can pull the pw's off the disc booted from a CD or
something. He can always find a way to reset the bios settings, thus
losing your bios pw. Then he can add CD-ROM as bootable, and can
change your root pw, or start cracking away at your shadow file. Or he
wouldn't bother, he already has full access to your filesystem at that
point.

At least, that's what I'd try to do. Encrypted file system would
definitely throw a monkey wrench into that plan 'o attack. Of course
that only helps ya for protecting the local access to the machine, I
don't know much about iptables and such....


d


On Mon, 14 Feb 2005 21:46:45 +0100, me <me@n-tek.ch> wrote:
> Hello
>
> I have a Laptop wich is running Gentoo with 2.6.10 dev kernel which I
> would like to make secure (locally/remotely). Thing is that our external
> IT pro bet that he will hack my machine in no time, locally and remote.
> Of course I said that he won't be able to do so Smile cos this is gentoo
> and no color-bitmap distro with a lots of services running by default.
> (I already read the Security Guide of gentoo and made my best out of it...)
>
> I just wanna prove him wrong with his saying "Linux is insecure, Windows
> Server 2003 is much more secure..." (ok this is a desktop system but
> it's just a detail Very Happy )
>
> I have difficulties with the hardened sources so that is probably not an
> option.
>
> Because I have a laptop I have 3 different NICs, internal LAN, internal
> WLAN, pcmcia WLAN, which i use in dhcp an static enviroments. I'm
> absolutely new to iptables so if someone could give some hints to set it
> up properly for a changing enviroment i would be thankful. ( I already
> have it working in the kernel only the rules with changing enviroments
> is the problem)
>
> What I did so far:
>
> -Bios Password (had that since ever)
> -Grub Password (to prevent unauthorized single user mode)
> -Emerged Cracklib to check for insecure passwords
> -Emerged chkrootkit (Maybe AIDE or tripwire would also be a good idea)
>
> I don't have any special services running or at least I think that. I'm
> using X with gnome. Apart from that everything should be standard...
>
> netstat -an |grep LISTEN gives the following output: (not sure about
> those listening apps...)
>
> *Code:*
> unix 2 [ ACC ] STREAM LISTENING 9368
> /tmp/mapping-ph03n1x
> unix 2 [ ACC ] STREAM LISTENING 6796
> /var/run/acpid.socket
> unix 2 [ ACC ] STREAM LISTENING 9151
> /tmp/orbit-ph03n1x/linc-23a8-0-747990af24219
> unix 2 [ ACC ] STREAM LISTENING 10230 /var/run/sdp
> unix 2 [ ACC ] STREAM LISTENING 9250
> /tmp/orbit-ph03n1x/linc-23cc-0-3c74524d40482
> unix 2 [ ACC ] STREAM LISTENING 9450
> /tmp/orbit-ph03n1x/linc-23e9-0-51420772e669c
> unix 2 [ ACC ] STREAM LISTENING 9273
> /tmp/orbit-ph03n1x/linc-23d0-0-234b493cb627
> unix 2 [ ACC ] STREAM LISTENING 9295
> /tmp/orbit-ph03n1x/linc-23ce-0-6fd415ea4991b
> unix 2 [ ACC ] STREAM LISTENING 9312
> /tmp/orbit-ph03n1x/linc-23d2-0-6fd415eaa17b7
> unix 2 [ ACC ] STREAM LISTENING 9337
> /tmp/orbit-ph03n1x/linc-23d6-0-2c6cd1b9c57f0
> unix 2 [ ACC ] STREAM LISTENING 9481
> /tmp/orbit-ph03n1x/linc-23eb-0-36888b137b61
> unix 2 [ ACC ] STREAM LISTENING 9513
> /tmp/orbit-ph03n1x/linc-23ed-0-2d56a133679c7
> unix 2 [ ACC ] STREAM LISTENING 9549
> /tmp/orbit-ph03n1x/linc-23ef-0-2d56a133e0eaa
> unix 2 [ ACC ] STREAM LISTENING 9576
> /tmp/orbit-ph03n1x/linc-23f1-0-1efbc33811b7b
> unix 2 [ ACC ] STREAM LISTENING 9604
> /tmp/orbit-ph03n1x/linc-23f3-0-1efbc3383485f
> unix 2 [ ACC ] STREAM LISTENING 8760 /tmp/.gdm_socket
> unix 2 [ ACC ] STREAM LISTENING 8914
> /tmp/ssh-slrppa9099/agent.9099
> unix 2 [ ACC ] STREAM LISTENING 8786 /tmp/.X11-unix/X0
> unix 2 [ ACC ] STREAM LISTENING 8928
> /tmp/orbit-ph03n1x/linc-239e-0-64ef23a484ccf
> unix 2 [ ACC ] STREAM LISTENING 8937
> /tmp/orbit-ph03n1x/linc-238b-0-1776021e90190
> unix 2 [ ACC ] STREAM LISTENING 9115
> /tmp/.ICE-unix/9099
> unix 2 [ ACC ] STREAM LISTENING 9123
> /tmp/keyring-z2lvfy/socket
> unix 2 [ ACC ] STREAM LISTENING 9132
> /tmp/orbit-ph03n1x/linc-23a6-0-5b616fb4ba76e
> unix 2 [ ACC ] STREAM LISTENING 9925
> /tmp/orbit-ph03n1x/linc-242d-0-5ed286a6e3a73
>
> Would be nice if some of you guys could point me to the main mistakes
> someone unexperienced like me could make so I can fix that up or just
> share your knowledge and experiences
>
> I would also like to run snort on my laptop I think it could make sense,
> don't you?
>
> Whatever you have for me just shoot...
>
> --
> gentoo-security@gentoo.org mailing list
>
>

--
gentoo-security@gentoo.org mailing list

Firstly, this sounds like a thinly veiled attempted to get this list to help
you secure your laptop, but since I'm bored ... :)

What are the details of the bet? What constitutes 'hacked'? Simply logging
in? Or getting root?

Also, physical access to the machine is a serious handicap to trying to
secure the thing against hacks. Make sure that the BIOS is set to boot from
HDD first and only. We don't want him throwing in a CD/floppy/USB key and
being able to boot to it. But even this can be overcome if they have
physical access by flashing or resetting the BIOS to defaults. If you want
an additional layer against that, using encrypted filesystems can help
mitigate that.

Quicktables may let you get a firewall up without requiring much of an
understanding of iptables syntax:

http://qtables.radom.org/index.php

I often have an 'interactive', a 'idle' and 'locked' scripts. I run
'interactive' and it clears the table, and runs the set that is somewhat
open; allowing me to run gnutella, Gaim, IRC, mount network shares, etc. I
run 'idle' and it clears the table and closes everything down except my ssh
and web server ports. I run 'locked' and it closes down EVERYTHING.

Running a nessus scan on the machine is also helpful in making sure that it
doesn't have any known network vulnerabilities in either the version or
configuration of your software/daemons.

And there are many other steps that fall under the 'intrusion detection'
category that don't seem to be necessary (for your bet anyway) since you're
just blocking against attack, not trying to determine if, when, and how
someone got in.

Anyway, just a few quick suggestions. Have fun!


Ryan Roland

Application Developer
Information Technology
Division of Recreational Sports
Indiana University


-----Original Message-----
From: me [mailto:me@n-tek.ch]
Sent: Monday, February 14, 2005 15:47
To: gentoo-security@lists.gentoo.org
Subject: [gentoo-security] Securing Laptop with Gentoo

Hello

I have a Laptop wich is running Gentoo with 2.6.10 dev kernel which I
would like to make secure (locally/remotely). Thing is that our external
IT pro bet that he will hack my machine in no time, locally and remote.
Of course I said that he won't be able to do so Smile cos this is gentoo
and no color-bitmap distro with a lots of services running by default.
(I already read the Security Guide of gentoo and made my best out of it...)

I just wanna prove him wrong with his saying "Linux is insecure, Windows
Server 2003 is much more secure..." (ok this is a desktop system but
it's just a detail Very Happy )

I have difficulties with the hardened sources so that is probably not an
option.

Because I have a laptop I have 3 different NICs, internal LAN, internal
WLAN, pcmcia WLAN, which i use in dhcp an static enviroments. I'm
absolutely new to iptables so if someone could give some hints to set it
up properly for a changing enviroment i would be thankful. ( I already
have it working in the kernel only the rules with changing enviroments
is the problem)

What I did so far:

-Bios Password (had that since ever)
-Grub Password (to prevent unauthorized single user mode)
-Emerged Cracklib to check for insecure passwords
-Emerged chkrootkit (Maybe AIDE or tripwire would also be a good idea)

I don't have any special services running or at least I think that. I'm
using X with gnome. Apart from that everything should be standard...

netstat -an |grep LISTEN gives the following output: (not sure about
those listening apps...)

*Code:*
unix 2 [ ACC ] STREAM LISTENING 9368
/tmp/mapping-ph03n1x
unix 2 [ ACC ] STREAM LISTENING 6796
/var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 9151
/tmp/orbit-ph03n1x/linc-23a8-0-747990af24219
unix 2 [ ACC ] STREAM LISTENING 10230 /var/run/sdp
unix 2 [ ACC ] STREAM LISTENING 9250
/tmp/orbit-ph03n1x/linc-23cc-0-3c74524d40482
unix 2 [ ACC ] STREAM LISTENING 9450
/tmp/orbit-ph03n1x/linc-23e9-0-51420772e669c
unix 2 [ ACC ] STREAM LISTENING 9273
/tmp/orbit-ph03n1x/linc-23d0-0-234b493cb627
unix 2 [ ACC ] STREAM LISTENING 9295
/tmp/orbit-ph03n1x/linc-23ce-0-6fd415ea4991b
unix 2 [ ACC ] STREAM LISTENING 9312
/tmp/orbit-ph03n1x/linc-23d2-0-6fd415eaa17b7
unix 2 [ ACC ] STREAM LISTENING 9337
/tmp/orbit-ph03n1x/linc-23d6-0-2c6cd1b9c57f0
unix 2 [ ACC ] STREAM LISTENING 9481
/tmp/orbit-ph03n1x/linc-23eb-0-36888b137b61
unix 2 [ ACC ] STREAM LISTENING 9513
/tmp/orbit-ph03n1x/linc-23ed-0-2d56a133679c7
unix 2 [ ACC ] STREAM LISTENING 9549
/tmp/orbit-ph03n1x/linc-23ef-0-2d56a133e0eaa
unix 2 [ ACC ] STREAM LISTENING 9576
/tmp/orbit-ph03n1x/linc-23f1-0-1efbc33811b7b
unix 2 [ ACC ] STREAM LISTENING 9604
/tmp/orbit-ph03n1x/linc-23f3-0-1efbc3383485f
unix 2 [ ACC ] STREAM LISTENING 8760 /tmp/.gdm_socket
unix 2 [ ACC ] STREAM LISTENING 8914
/tmp/ssh-slrppa9099/agent.9099
unix 2 [ ACC ] STREAM LISTENING 8786 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 8928
/tmp/orbit-ph03n1x/linc-239e-0-64ef23a484ccf
unix 2 [ ACC ] STREAM LISTENING 8937
/tmp/orbit-ph03n1x/linc-238b-0-1776021e90190
unix 2 [ ACC ] STREAM LISTENING 9115
/tmp/.ICE-unix/9099
unix 2 [ ACC ] STREAM LISTENING 9123
/tmp/keyring-z2lvfy/socket
unix 2 [ ACC ] STREAM LISTENING 9132
/tmp/orbit-ph03n1x/linc-23a6-0-5b616fb4ba76e
unix 2 [ ACC ] STREAM LISTENING 9925
/tmp/orbit-ph03n1x/linc-242d-0-5ed286a6e3a73



Would be nice if some of you guys could point me to the main mistakes
someone unexperienced like me could make so I can fix that up or just
share your knowledge and experiences

I would also like to run snort on my laptop I think it could make sense,
don't you?

Whatever you have for me just shoot...


--
gentoo-security@gentoo.org mailing list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Localy, I can hack into Windows 2003 Server anytime too... Remote is
something completly different.

But I would like to know if he can remotely hack into linux anytime with
a basic desktop configuration. By "basic" I mean up to date software
(including kernel), a firewall (iptables) and maybe sshd (up to date).
No other hardned packages, no grsec, etc.

If we want to prove Linux can be a secure OS, we have to prove that you
don't have to be a security expert to maintain a secure desktop.

I'm not saying that I believe noone can hack into a basic Linux system.
I'm just saying I would like to know how hard/easy can that be.




- --
Rui Covelo
http://ruicovelo.2ya.com







-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCERjMfLPhlaxNQk0RAlYpAJ9H7FeuRFlozUmHBI/XkzHYV8Wi9ACfcmqL
4IU/RKHmuftiWkHpDKFERbY=
=oZJQ
-----END PGP SIGNATURE-----

--
gentoo-security@gentoo.org mailing list

Well the deal more or less is:

1) Laptop is turned off: - try to break in without opening it or
anything so bios password prevents this, laptop boots only from harddisk)
2) Laptop is booting: - try to break in (without changing boot order)
grub pw prevents single user mode (encrypted partitions would prevent
attack via windows)
3) Laptop is running, logged in with my user (member of wheel): -try to
get root
4) Laptop is running: -try to break in remotely and get user- or root-access

Points 3 and 4 are my main concern as 1 and 2 are relatively easy to prevent

Thx for the infos so far


Roland, Ryan M wrote:

>Firstly, this sounds like a thinly veiled attempted to get this list to help
>you secure your laptop, but since I'm bored ... :)
>
>What are the details of the bet? What constitutes 'hacked'? Simply logging
>in? Or getting root?
>
>Also, physical access to the machine is a serious handicap to trying to
>secure the thing against hacks. Make sure that the BIOS is set to boot from
>HDD first and only. We don't want him throwing in a CD/floppy/USB key and
>being able to boot to it. But even this can be overcome if they have
>physical access by flashing or resetting the BIOS to defaults. If you want
>an additional layer against that, using encrypted filesystems can help
>mitigate that.
>
>Quicktables may let you get a firewall up without requiring much of an
>understanding of iptables syntax:
>
>http://qtables.radom.org/index.php
>
>I often have an 'interactive', a 'idle' and 'locked' scripts. I run
>'interactive' and it clears the table, and runs the set that is somewhat
>open; allowing me to run gnutella, Gaim, IRC, mount network shares, etc. I
>run 'idle' and it clears the table and closes everything down except my ssh
>and web server ports. I run 'locked' and it closes down EVERYTHING.
>
>Running a nessus scan on the machine is also helpful in making sure that it
>doesn't have any known network vulnerabilities in either the version or
>configuration of your software/daemons.
>
>And there are many other steps that fall under the 'intrusion detection'
>category that don't seem to be necessary (for your bet anyway) since you're
>just blocking against attack, not trying to determine if, when, and how
>someone got in.
>
>Anyway, just a few quick suggestions. Have fun!
>
>
>Ryan Roland
>
>Application Developer
>Information Technology
>Division of Recreational Sports
>Indiana University
>
>
>-----Original Message-----
>From: me [mailto:me@n-tek.ch]
>Sent: Monday, February 14, 2005 15:47
>To: gentoo-security@lists.gentoo.org
>Subject: [gentoo-security] Securing Laptop with Gentoo
>
>Hello
>
>I have a Laptop wich is running Gentoo with 2.6.10 dev kernel which I
>would like to make secure (locally/remotely). Thing is that our external
>IT pro bet that he will hack my machine in no time, locally and remote.
>Of course I said that he won't be able to do so Smile cos this is gentoo
>and no color-bitmap distro with a lots of services running by default.
>(I already read the Security Guide of gentoo and made my best out of it...)
>
>I just wanna prove him wrong with his saying "Linux is insecure, Windows
>Server 2003 is much more secure..." (ok this is a desktop system but
>it's just a detail Very Happy )
>
>I have difficulties with the hardened sources so that is probably not an
>option.
>
>Because I have a laptop I have 3 different NICs, internal LAN, internal
>WLAN, pcmcia WLAN, which i use in dhcp an static enviroments. I'm
>absolutely new to iptables so if someone could give some hints to set it
>up properly for a changing enviroment i would be thankful. ( I already
>have it working in the kernel only the rules with changing enviroments
>is the problem)
>
>What I did so far:
>
>-Bios Password (had that since ever)
>-Grub Password (to prevent unauthorized single user mode)
>-Emerged Cracklib to check for insecure passwords
>-Emerged chkrootkit (Maybe AIDE or tripwire would also be a good idea)
>
>I don't have any special services running or at least I think that. I'm
>using X with gnome. Apart from that everything should be standard...
>
>netstat -an |grep LISTEN gives the following output: (not sure about
>those listening apps...)
>
>*Code:*
>unix 2 [ ACC ] STREAM LISTENING 9368
> /tmp/mapping-ph03n1x
>unix 2 [ ACC ] STREAM LISTENING 6796
> /var/run/acpid.socket
>unix 2 [ ACC ] STREAM LISTENING 9151
> /tmp/orbit-ph03n1x/linc-23a8-0-747990af24219
>unix 2 [ ACC ] STREAM LISTENING 10230 /var/run/sdp
>unix 2 [ ACC ] STREAM LISTENING 9250
> /tmp/orbit-ph03n1x/linc-23cc-0-3c74524d40482
>unix 2 [ ACC ] STREAM LISTENING 9450
> /tmp/orbit-ph03n1x/linc-23e9-0-51420772e669c
>unix 2 [ ACC ] STREAM LISTENING 9273
> /tmp/orbit-ph03n1x/linc-23d0-0-234b493cb627
>unix 2 [ ACC ] STREAM LISTENING 9295
> /tmp/orbit-ph03n1x/linc-23ce-0-6fd415ea4991b
>unix 2 [ ACC ] STREAM LISTENING 9312
> /tmp/orbit-ph03n1x/linc-23d2-0-6fd415eaa17b7
>unix 2 [ ACC ] STREAM LISTENING 9337
> /tmp/orbit-ph03n1x/linc-23d6-0-2c6cd1b9c57f0
>unix 2 [ ACC ] STREAM LISTENING 9481
> /tmp/orbit-ph03n1x/linc-23eb-0-36888b137b61
>unix 2 [ ACC ] STREAM LISTENING 9513
> /tmp/orbit-ph03n1x/linc-23ed-0-2d56a133679c7
>unix 2 [ ACC ] STREAM LISTENING 9549
> /tmp/orbit-ph03n1x/linc-23ef-0-2d56a133e0eaa
>unix 2 [ ACC ] STREAM LISTENING 9576
> /tmp/orbit-ph03n1x/linc-23f1-0-1efbc33811b7b
>unix 2 [ ACC ] STREAM LISTENING 9604
> /tmp/orbit-ph03n1x/linc-23f3-0-1efbc3383485f
>unix 2 [ ACC ] STREAM LISTENING 8760 /tmp/.gdm_socket
>unix 2 [ ACC ] STREAM LISTENING 8914
> /tmp/ssh-slrppa9099/agent.9099
>unix 2 [ ACC ] STREAM LISTENING 8786 /tmp/.X11-unix/X0
>unix 2 [ ACC ] STREAM LISTENING 8928
> /tmp/orbit-ph03n1x/linc-239e-0-64ef23a484ccf
>unix 2 [ ACC ] STREAM LISTENING 8937
> /tmp/orbit-ph03n1x/linc-238b-0-1776021e90190
>unix 2 [ ACC ] STREAM LISTENING 9115
> /tmp/.ICE-unix/9099
>unix 2 [ ACC ] STREAM LISTENING 9123
> /tmp/keyring-z2lvfy/socket
>unix 2 [ ACC ] STREAM LISTENING 9132
> /tmp/orbit-ph03n1x/linc-23a6-0-5b616fb4ba76e
>unix 2 [ ACC ] STREAM LISTENING 9925
> /tmp/orbit-ph03n1x/linc-242d-0-5ed286a6e3a73
>
>
>
>Would be nice if some of you guys could point me to the main mistakes
>someone unexperienced like me could make so I can fix that up or just
>share your knowledge and experiences
>
>I would also like to run snort on my laptop I think it could make sense,
>don't you?
>
>Whatever you have for me just shoot...
>
>
>--
>gentoo-security@gentoo.org mailing list
>
>
>
>



--
gentoo-security@gentoo.org mailing list

In all honesty, if a top-tier hacker REALLY wants in your box, unless you
really know what you're doing, and are very paranoid, he's probably gonna get
in. Now, can he just ping your IP, run netstat and get in within a few min?
Most likely only if you have blatant configuration mistakes or if you have
vulnerable packages.

Security isn't a 'yes' or 'no'. It's a gradient.


Thanks,




Ryan Roland

Application Developer
Information Technology
Division of Recreational Sports
Indiana University

812.855.9617
rmroland@indiana.edu


-----Original Message-----
From: Rui Covelo [mailto:rpfc@mega.ist.utl.pt]
Sent: Monday, February 14, 2005 16:32
To: me
Cc: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] Securing Laptop with Gentoo

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Localy, I can hack into Windows 2003 Server anytime too... Remote is
something completly different.

But I would like to know if he can remotely hack into linux anytime with
a basic desktop configuration. By "basic" I mean up to date software
(including kernel), a firewall (iptables) and maybe sshd (up to date).
No other hardned packages, no grsec, etc.

If we want to prove Linux can be a secure OS, we have to prove that you
don't have to be a security expert to maintain a secure desktop.

I'm not saying that I believe noone can hack into a basic Linux system.
I'm just saying I would like to know how hard/easy can that be.




- --
Rui Covelo
http://ruicovelo.2ya.com







-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCERjMfLPhlaxNQk0RAlYpAJ9H7FeuRFlozUmHBI/XkzHYV8Wi9ACfcmqL
4IU/RKHmuftiWkHpDKFERbY=
=oZJQ
-----END PGP SIGNATURE-----

--
gentoo-security@gentoo.org mailing list

You are right but I'm not convinced yet that he is a top-tier, maybe a
middle-tier ;) which hopefully doesnt own my laptop...

I don't mind if he owns my laptop I just don't want to feel embarassed
because I overlooked something really stupid and basic. Since I'm not
that much into linux security yet I thought I better get some advises
from people who know something about it.

glsa-check --list should show me vulnerable packets shouldn't it?

So basically my goal is to make my laptop middle-tier-proof ;)



Roland, Ryan M wrote:

>In all honesty, if a top-tier hacker REALLY wants in your box, unless you
>really know what you're doing, and are very paranoid, he's probably gonna get
>in. Now, can he just ping your IP, run netstat and get in within a few min?
>Most likely only if you have blatant configuration mistakes or if you have
>vulnerable packages.
>
>Security isn't a 'yes' or 'no'. It's a gradient.
>
>
>Thanks,
>
>
>
>
>Ryan Roland
>
>Application Developer
>Information Technology
>Division of Recreational Sports
>Indiana University
>
>812.855.9617
>rmroland@indiana.edu
>
>
>-----Original Message-----
>From: Rui Covelo [mailto:rpfc@mega.ist.utl.pt]
>Sent: Monday, February 14, 2005 16:32
>To: me
>Cc: gentoo-security@lists.gentoo.org
>Subject: Re: [gentoo-security] Securing Laptop with Gentoo
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>
>Localy, I can hack into Windows 2003 Server anytime too... Remote is
>something completly different.
>
>But I would like to know if he can remotely hack into linux anytime with
>a basic desktop configuration. By "basic" I mean up to date software
>(including kernel), a firewall (iptables) and maybe sshd (up to date).
>No other hardned packages, no grsec, etc.
>
>If we want to prove Linux can be a secure OS, we have to prove that you
>don't have to be a security expert to maintain a secure desktop.
>
>I'm not saying that I believe noone can hack into a basic Linux system.
>I'm just saying I would like to know how hard/easy can that be.
>
>
>
>
>- --
>Rui Covelo
>http://ruicovelo.2ya.com
>
>
>
>
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.6 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
>iD8DBQFCERjMfLPhlaxNQk0RAlYpAJ9H7FeuRFlozUmHBI/XkzHYV8Wi9ACfcmqL
>4IU/RKHmuftiWkHpDKFERbY=
>=oZJQ
>-----END PGP SIGNATURE-----
>
>--
>gentoo-security@gentoo.org mailing list
>
>
>
>



--
gentoo-security@gentoo.org mailing list

On Mon, 14 Feb 2005, me wrote:

> Well the deal more or less is:
>
> 1) Laptop is turned off: - try to break in without opening it or
> anything so bios password prevents this, laptop boots only from harddisk)
> 2) Laptop is booting: - try to break in (without changing boot order)
> grub pw prevents single user mode (encrypted partitions would prevent
> attack via windows)
> 3) Laptop is running, logged in with my user (member of wheel): -try to
> get root
> 4) Laptop is running: -try to break in remotely and get user- or root-access
>
> Points 3 and 4 are my main concern as 1 and 2 are relatively easy to prevent

#1 & #2.
http://www.saout.de/misc/dm-crypt/
http://www.flyn.org/projects/cryptoswap/index.html
http://www.linux.com/article.pl?sid=04/06/07/2036205
http://www.sdc.org/~leila/usb-dongle/readme.html

#3. is a real sore point. Can be mitigated by posix capabilities/selinux.
Be careful you don't make the laptop unusable though. :-)

SELinux/Capabilities:
http://www.crypt.gen.nz/selinux/faq.html
http://lwn.net/Articles/69798/
http://lwn.net/Articles/79185/
http://www.linux-mag.com/2004-11/guru_01.html

(somewhat outdated)
http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt
http://interactive.linuxjournal.com/article/5737

#4. is usually foiled by a good firewall setup; take extra care of your
wlan i/f.

http://www-106.ibm.com/developerworks/library/l-fw/
http://www.gentoo.org/proj/en/dynfw.xml
http://iptables-tutorial.frozentux.net/
http://www.netfilter.org/documentation/

A iptables gui that I've heard good things about:
http://www.fwbuilder.org/

Of course, don't start any more services than you absolutely need (as
root do 'rc-update show' to show you which services that gets started).
Personally, I would avoid running a gnome desktop, because of it's
plethora of net-centric support programs, but that may just be me. Anyway,
a simple window manager is usually faster as well (follow the
Keep.It.Simple.Stupid. - k.i.s.s. rule ;-). And the services that you need
should be properly configured to not listen on anything else but unix
sockets, unless you need them to.

Best regards

Peter K

--
gentoo-security@gentoo.org mailing list

Hey wow a lot of info, thx

Guess that will keep me busy for a week or so ;)


Peter Karlsson wrote:

>On Mon, 14 Feb 2005, me wrote:
>
>
>
>>Well the deal more or less is:
>>
>>1) Laptop is turned off: - try to break in without opening it or
>>anything so bios password prevents this, laptop boots only from harddisk)
>>2) Laptop is booting: - try to break in (without changing boot order)
>>grub pw prevents single user mode (encrypted partitions would prevent
>>attack via windows)
>>3) Laptop is running, logged in with my user (member of wheel): -try to
>>get root
>>4) Laptop is running: -try to break in remotely and get user- or root-access
>>
>>Points 3 and 4 are my main concern as 1 and 2 are relatively easy to prevent
>>
>>
>
>#1 & #2.
>http://www.saout.de/misc/dm-crypt/
>http://www.flyn.org/projects/cryptoswap/index.html
>http://www.linux.com/article.pl?sid=04/06/07/2036205
>http://www.sdc.org/~leila/usb-dongle/readme.html
>
>#3. is a real sore point. Can be mitigated by posix capabilities/selinux.
>Be careful you don't make the laptop unusable though. :-)
>
>SELinux/Capabilities:
>http://www.crypt.gen.nz/selinux/faq.html
>http://lwn.net/Articles/69798/
>http://lwn.net/Articles/79185/
>http://www.linux-mag.com/2004-11/guru_01.html
>
>(somewhat outdated)
>http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt
>http://interactive.linuxjournal.com/article/5737
>
>#4. is usually foiled by a good firewall setup; take extra care of your
>wlan i/f.
>
>http://www-106.ibm.com/developerworks/library/l-fw/
>http://www.gentoo.org/proj/en/dynfw.xml
>http://iptables-tutorial.frozentux.net/
>http://www.netfilter.org/documentation/
>
>A iptables gui that I've heard good things about:
>http://www.fwbuilder.org/
>
>Of course, don't start any more services than you absolutely need (as
>root do 'rc-update show' to show you which services that gets started).
>Personally, I would avoid running a gnome desktop, because of it's
>plethora of net-centric support programs, but that may just be me. Anyway,
>a simple window manager is usually faster as well (follow the
>Keep.It.Simple.Stupid. - k.i.s.s. rule ;-). And the services that you need
>should be properly configured to not listen on anything else but unix
>sockets, unless you need them to.
>
>Best regards
>
>Peter K
>
>--
>gentoo-security@gentoo.org mailing list
>
>
>
>
>



--
gentoo-security@gentoo.org mailing list

On Mon, 14 Feb 2005, me wrote:

> Hey wow a lot of info, thx
>
> Guess that will keep me busy for a week or so ;)

Hey, you asked! ;-)

Best regards

Peter K

--
gentoo-security@gentoo.org mailing list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Roland, Ryan M wrote:
| Firstly, this sounds like a thinly veiled attempted to get this list to help
| you secure your laptop, but since I'm bored ... :)
|
| What are the details of the bet? What constitutes 'hacked'? Simply logging
| in? Or getting root?

the key point.

how far are you willing to go? allways remember that security is enemy of
usability. if you abuse it or get unnecessarily paranoid, your system may easily
become useless.

many useful tips were already given here, so I'll refrain to do so. I'll comment
though.

clearly linux and win2k3 are completely different systems that can have very
different usage objectives.
security is not absolute so just throwing "windows is secure and linux is not"
just expresses lack of knowledge.

this link (http://www.acm.org/technews/articles/2005-7/0124m.html#item10) shows
some interesting statistics regarding qualitative security comparisons between
linux and windows systems. [full story here:
http://www.techworld.com/security/news/index.cfm?NewsID=2983&Page=1&pagePos=19]

best regards,
pedro venda.
- --

Pedro João Lopes Venda
email: pjlv@mega.ist.utl.pt
http://arrakis.dhis.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCEU/2eRy7HWZxjWERAiztAJ9SRUTfzZnKtg+jn7il8IFDcn/fxgCgmqHD
7jEK0WU+a5JyioTpRDuOX64=
=IoTX
-----END PGP SIGNATURE-----

--
gentoo-security@gentoo.org mailing list

Hi

For the Chaos Communication Congress in Berlin this winter, there is a
site on the wiki "How to survive the Congress". It basically deals with
securing your laptop to survive between 2000 hackers...

https://21c3.ccc.de/wiki/index.php/How_to_Survive

greetings
fabian

me wrote:
> Hello
>
> I have a Laptop wich is running Gentoo with 2.6.10 dev kernel which I
> would like to make secure (locally/remotely). Thing is that our external
> IT pro bet that he will hack my machine in no time, locally and remote.
> Of course I said that he won't be able to do so Smile cos this is gentoo
> and no color-bitmap distro with a lots of services running by default.
> (I already read the Security Guide of gentoo and made my best out of it...)
>
> I just wanna prove him wrong with his saying "Linux is insecure, Windows
> Server 2003 is much more secure..." (ok this is a desktop system but
> it's just a detail Very Happy )
>
> I have difficulties with the hardened sources so that is probably not an
> option.
>
> Because I have a laptop I have 3 different NICs, internal LAN, internal
> WLAN, pcmcia WLAN, which i use in dhcp an static enviroments. I'm
> absolutely new to iptables so if someone could give some hints to set it
> up properly for a changing enviroment i would be thankful. ( I already
> have it working in the kernel only the rules with changing enviroments
> is the problem)
>
> What I did so far:
>
> -Bios Password (had that since ever)
> -Grub Password (to prevent unauthorized single user mode)
> -Emerged Cracklib to check for insecure passwords
> -Emerged chkrootkit (Maybe AIDE or tripwire would also be a good idea)
>
> I don't have any special services running or at least I think that. I'm
> using X with gnome. Apart from that everything should be standard...
>
> netstat -an |grep LISTEN gives the following output: (not sure about
> those listening apps...)
>
> *Code:*
> unix 2 [ ACC ] STREAM LISTENING 9368
> /tmp/mapping-ph03n1x
> unix 2 [ ACC ] STREAM LISTENING 6796
> /var/run/acpid.socket
> unix 2 [ ACC ] STREAM LISTENING 9151
> /tmp/orbit-ph03n1x/linc-23a8-0-747990af24219
> unix 2 [ ACC ] STREAM LISTENING 10230 /var/run/sdp
> unix 2 [ ACC ] STREAM LISTENING 9250
> /tmp/orbit-ph03n1x/linc-23cc-0-3c74524d40482
> unix 2 [ ACC ] STREAM LISTENING 9450
> /tmp/orbit-ph03n1x/linc-23e9-0-51420772e669c
> unix 2 [ ACC ] STREAM LISTENING 9273
> /tmp/orbit-ph03n1x/linc-23d0-0-234b493cb627
> unix 2 [ ACC ] STREAM LISTENING 9295
> /tmp/orbit-ph03n1x/linc-23ce-0-6fd415ea4991b
> unix 2 [ ACC ] STREAM LISTENING 9312
> /tmp/orbit-ph03n1x/linc-23d2-0-6fd415eaa17b7
> unix 2 [ ACC ] STREAM LISTENING 9337
> /tmp/orbit-ph03n1x/linc-23d6-0-2c6cd1b9c57f0
> unix 2 [ ACC ] STREAM LISTENING 9481
> /tmp/orbit-ph03n1x/linc-23eb-0-36888b137b61
> unix 2 [ ACC ] STREAM LISTENING 9513
> /tmp/orbit-ph03n1x/linc-23ed-0-2d56a133679c7
> unix 2 [ ACC ] STREAM LISTENING 9549
> /tmp/orbit-ph03n1x/linc-23ef-0-2d56a133e0eaa
> unix 2 [ ACC ] STREAM LISTENING 9576
> /tmp/orbit-ph03n1x/linc-23f1-0-1efbc33811b7b
> unix 2 [ ACC ] STREAM LISTENING 9604
> /tmp/orbit-ph03n1x/linc-23f3-0-1efbc3383485f
> unix 2 [ ACC ] STREAM LISTENING 8760 /tmp/.gdm_socket
> unix 2 [ ACC ] STREAM LISTENING 8914
> /tmp/ssh-slrppa9099/agent.9099
> unix 2 [ ACC ] STREAM LISTENING 8786 /tmp/.X11-unix/X0
> unix 2 [ ACC ] STREAM LISTENING 8928
> /tmp/orbit-ph03n1x/linc-239e-0-64ef23a484ccf
> unix 2 [ ACC ] STREAM LISTENING 8937
> /tmp/orbit-ph03n1x/linc-238b-0-1776021e90190
> unix 2 [ ACC ] STREAM LISTENING 9115 /tmp/.ICE-unix/9099
> unix 2 [ ACC ] STREAM LISTENING 9123
> /tmp/keyring-z2lvfy/socket
> unix 2 [ ACC ] STREAM LISTENING 9132
> /tmp/orbit-ph03n1x/linc-23a6-0-5b616fb4ba76e
> unix 2 [ ACC ] STREAM LISTENING 9925
> /tmp/orbit-ph03n1x/linc-242d-0-5ed286a6e3a73
>
>
>
> Would be nice if some of you guys could point me to the main mistakes
> someone unexperienced like me could make so I can fix that up or just
> share your knowledge and experiences
>
> I would also like to run snort on my laptop I think it could make sense,
> don't you?
>
> Whatever you have for me just shoot...
>
>
> --
> gentoo-security@gentoo.org mailing list
>
>

--
Kampagne gegen Bildungsabbau: www.gehrertrittzurueck.at

I prefer signed/encrypted Mail:
http://stud3.tuwien.ac.at/~e0327380/pub_key.asc
Fingerprint: CFE8 38A7 0BC4 3CB0 E454 FA8D 04F9 B3B6 E02D 25BA

Well thx all, I got far more info than i expected :)

I now have at least a clue about what could be a whole and how I could
secure it. I will definately need more time to look deeper into it but
in a bit more than a week I have holidays that should help.

I will definately:

- Encrypt my filesystem
- Have a close look at iptables
- Have a look at ACLs etc.
- Install portsentry
- Maybe mess with LIDS
- and much more... ;)


Thx

me


--
gentoo-security@gentoo.org mailing list

me <me@n-tek.ch> wrote:
> - Maybe mess with LIDS

You might prefer grsecurity's RBAC, if you want that sort of thing in
a hurry. It has very useful learning modes, plus you get the rest of
grsecurity and PaX.


--
Barry.Schwartz@chemoelectric.org http://www.chemoelectric.org
"I have directed that in the future I sign each letter." -- Rumsfeld

On 050214 at 21:50, me wrote:
> netstat -an |grep LISTEN gives the following output: (not sure about
> those listening apps...)
>
> *Code:*
> unix 2 [ ACC ] STREAM LISTENING 9368 /tmp/mapping-ph03n1x
> unix 2 [ ACC ] STREAM LISTENING 6796 /var/run/acpid.socket
> unix 2 [ ACC ] STREAM LISTENING 9151 /tmp/orbit-ph03n1x/linc-23a8-0-747990af24219
> unix 2 [ ACC ] STREAM LISTENING 10230 /var/run/sdp
> unix 2 [ ACC ] STREAM LISTENING 9250 /tmp/orbit-ph03n1x/linc-23cc-0-3c74524d40482
> [...]

This shows that there are no Apps listening on your network interfaces.
These are all local ("unix"-type) sockets.

A listening network-server looks like this:

goofy root # netstat -nlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2274/xinetd
tcp 0 0 :::22 :::* LISTEN 2177/sshd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 6070 2030/lpd Waiting /var/run/lprng
unix 2 [ ACC ] STREAM LISTENING 5905 1846/syslog-ng /dev/log
unix 2 [ ACC ] STREAM LISTENING 6032 1891/gpm /dev/gpmctl

sshd and vsftpd (behind xinetd) are running on this system.
I have vsftp running on my laptop too, its IMO less a risk than a
having a samba server. PWs are no problem, everythings done anonymous.

So there is nothing listening on your network interfaces.

If you trust the programs running on your on machine, then there is no
sense in installing a packetfilter(iptables). It just adds code and
complexicity. In Windows-Fashion: "The ports are already closed."

If there are programs you don't trust, you'd better deinstall them.
If this is not possible, then this is where you can start to think
about things like a "personal firewall", SELinux or GRSecurity.

> I would also like to run snort on my laptop I think it could make sense,
> don't you?

If you expect some guy to get into your laptop remotely, then snort
will *maybe* help you finding the hole. If not, it just adds extra
code. Code that, like iptables, may contain errors and is therefore a
security-risk, as the programs listen on the network-interface and
interpret the traffic.

If you don't run any server-programs(netstat), no iptables and no snort
or portsentry, you leave an remote-attacker no choice but to attack the
kernel(always apply latest patches), or you(think before you type). The
latter probably through some Apps like your Browser or eMail-Client
("phishing").



Concerning the local priviledge-escalation:

I would *love* to see his face trying to figure out how larswm works ;)


have fun,
pepe
--
Hi, I'm a unix-virus.
Please copy me into your .signature to help me spread!

--
gentoo-security@gentoo.org mailing list

On Tue, Feb 15, 2005 at 09:51:06AM +0100, me wrote:
> - Encrypt my filesystem
> - Have a close look at iptables
> - Have a look at ACLs etc.
> - Install portsentry
> - Maybe mess with LIDS

Just wanted to add my two cents:

If I were attacking a laptop locally, I'd just pop in a boot disk and
read any data I want. You don't even need to change the password file;
you can just replace the kernel or some root-executed binary and you've
got access once the machine is rebooted (but as I said, if you just want
to read data, you don't even need to do that).

So do the encrypted filesystem first--BIOS passwords are notoriously
weak.

After that, given that you said you've got no listening services, I
wouldn't worry all that much about iptables and all. Portsentry also
doesn't strike me as that useful.

After all, how do you know the chances of a vulnerability in iptables
are lower than those of a vulnerability in, say, sshd (if that's your
only listening daemon)?

Better is pursuing other measures like stack smashing protection, pax,
grsec, etc. In this case, even if there *is* a vuln in sshd, you may be
saved by one of these extra measures.

Anyway, like I said, just my two cents. If you're worried about a local
attacker, encrypt the filesystem, because otherwise, root is a piece of
cake.

--
Dan Margolis
Gentoo Security/Audit

My impression is that nowadays Hacker don't knock at the front door on your
servers, but rather exploit the client side and transport their exploits to
you either via eMail (not so common these days), exploiting a server you are
connecting to or man in the middle for non secured connections (ie. Firefox
exploit + http, dig + domain-name, xpdf + http)...
This is due to the fact that nowadays more and more people have a personnal
firewall.

However most of these firewalls allow any connection out, and don't do much
protocol inspection deeper than layer 3. I beleive that it is as important
to secure your outbound ports because the first thing an exploit will do is
initiate a connexion out to get more brain power (latest root escalations,
DDos targets, etc.), if they can't they don't do much damage and you can
repair in time.

To "secure" a bit further your workstation, you need machine virtualisation
ala VMWare with all your dangerous clients in there (browser, p2p client,
mail client). This machine needs to be rebooted regularly (at least once a
day) and you need to put in place mecanisms to backup your files, eMails,
bookmarks, and restaure then on reboot.

This will only add a layer and "fix" Automatic attacks aims at building
drones to get fire-power for DDos
For tailored ones you will always have a trade off between how long you will
spend on beeing (and staying) secured and how long you will resist an
intrusion.

All This is equally true for any OS.

> On Tue, Feb 15, 2005 at 09:51:06AM +0100, me wrote:
> > - Encrypt my filesystem
> > - Have a close look at iptables
> > - Have a look at ACLs etc.
> > - Install portsentry
> > - Maybe mess with LIDS
>
> Just wanted to add my two cents:
>
> If I were attacking a laptop locally, I'd just pop in a boot disk
> and
read any data I want. You don't even need to change the
> password file;
you can just replace the kernel or some root-
> executed binary and you've
got access once the machine is rebooted
> (but as I said, if you just want
to read data, you don't even need
> to do that).
>
> So do the encrypted filesystem first--BIOS passwords are notoriously
> weak.
>
> After that, given that you said you've got no listening services, I
> wouldn't worry all that much about iptables and all. Portsentry also
> doesn't strike me as that useful.
>
> After all, how do you know the chances of a vulnerability in
> iptables
are lower than those of a vulnerability in, say, sshd (if
> that's your
only listening daemon)?
>
> Better is pursuing other measures like stack smashing protection,
> pax,
grsec, etc. In this case, even if there *is* a vuln in sshd,
> you may be
saved by one of these extra measures.
>
> Anyway, like I said, just my two cents. If you're worried about a
> local
attacker, encrypt the filesystem, because otherwise, root is
> a piece of
cake.
>
> --
> Dan Margolis
> Gentoo Security/Audit




--
gentoo-security@gentoo.org mailing list

From what you say it all comes down to a few things:
1-He only knows the IP of the machine and can only use that:
1.1-You have no open services so no exploits, only problem is with the
kernel itself but no bugs there.
2-He has physical access to the machine:
2.1-He is going to try single user mode, but as you said you use
passwords so he has to crack your password.
2.2-He is going to try to boot a custom cd/floopy, and you deactivated
that on the bios right, and your bios password is uncrackable right?
2.3-He gets to disassemble your laptop:
2.3.1-He gets the drive out, uses some connector 2,5" to 3,5" and hacks
from there, only safeguard is all the fs using encryption with the
pass phrase passed to the kernel at boot time. ( I have no experience
here on how to do this, only used usb pen with cryptoloop)
2.3.2-He resets the BIOS password, all laptops i've seen do not have a
reset feature, "only" the manufacture knows how to do this.

So if you do this i can pretty much guarantee you a safe box, even
against a high skilled cracker.

On Mon, 14 Feb 2005 23:28:32 +0100
me <me@n-tek.ch> wrote:

> You are right but I'm not convinced yet that he is a top-tier, maybe a

> middle-tier ;) which hopefully doesnt own my laptop...
>
> I don't mind if he owns my laptop I just don't want to feel embarassed

> because I overlooked something really stupid and basic. Since I'm not
> that much into linux security yet I thought I better get some advises
> from people who know something about it.
>
> glsa-check --list should show me vulnerable packets shouldn't it?
>
> So basically my goal is to make my laptop middle-tier-proof ;)
>
>
>
> Roland, Ryan M wrote:
>
> >In all honesty, if a top-tier hacker REALLY wants in your box, unless
you
> >really know what you're doing, and are very paranoid, he's probably
gonna get
> >in. Now, can he just ping your IP, run netstat and get in within a
few min?
> >Most likely only if you have blatant configuration mistakes or if you
have
> >vulnerable packages.
> >
> >Security isn't a 'yes' or 'no'. It's a gradient.
> >
> >
> >Thanks,
> >
> >
> >
> >
> >Ryan Roland
> >
> >Application Developer
> >Information Technology
> >Division of Recreational Sports
> >Indiana University
> >
> >812.855.9617
> >rmroland@indiana.edu
> >
> >
> >-----Original Message-----
> >From: Rui Covelo [mailto:rpfc@mega.ist.utl.pt]
> >Sent: Monday, February 14, 2005 16:32
> >To: me
> >Cc: gentoo-security@lists.gentoo.org
> >Subject: Re: [gentoo-security] Securing Laptop with Gentoo
> >
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >
> >
> >Localy, I can hack into Windows 2003 Server anytime too... Remote is
> >something completly different.
> >
> >But I would like to know if he can remotely hack into linux anytime
with
> >a basic desktop configuration. By "basic" I mean up to date software
> >(including kernel), a firewall (iptables) and maybe sshd (up to
date).
> >No other hardned packages, no grsec, etc.
> >
> >If we want to prove Linux can be a secure OS, we have to prove that
you
> >don't have to be a security expert to maintain a secure desktop.
> >
> >I'm not saying that I believe noone can hack into a basic Linux
system.
> >I'm just saying I would like to know how hard/easy can that be.
> >
> >
> >
> >
> >- --
> >Rui Covelo
> >http://ruicovelo.2ya.com
> >
> >
> >
> >
> >
> >
> >
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v1.2.6 (GNU/Linux)
> >Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> >
> >iD8DBQFCERjMfLPhlaxNQk0RAlYpAJ9H7FeuRFlozUmHBI/XkzHYV8Wi9ACfcmqL
> >4IU/RKHmuftiWkHpDKFERbY=
> >=oZJQ
> >-----END PGP SIGNATURE-----
> >
> >--
> >gentoo-security@gentoo.org mailing list
> >
> >
> >
> >
>
>
>
> --
> gentoo-security@gentoo.org mailing list


--
Gustavo Felisberto
(HumpBack)
Web: http://dev.gentoo.org/~humpback
Blog: http://blog.felisberto.net/
------------
It's most certainly GNU/Linux, not Linux. Read more at
http://www.gnu.org/gnu/why-gnu-linux.html .
-------------

Gustavo Adolfo Silva Ribeiro Felisberto wrote:

>>From what you say it all comes down to a few things:
>
> So if you do this i can pretty much guarantee you a safe box, even
> against a high skilled cracker.
>

Unfortunatly you can never guarantee a safe box, even if it takes
someone to put take the hard disk apart in a clean room and read the
data off the raw disks, there's always a way.

I wouldn't trust a BIOS password 100% either, the amount of times we've
had machines come back to us with BIOS passwords put on them, and with a
little looking, they take very little time at all to crack.

If you want tough security, i'd definately recommend encrypting your
filesystem, then even if he does bypass your BIOS password, he'd have to
do some serious work at cracking it. With a strong enough key, a brute
force hack would take a few years...

Unfortunately, nothing is 100% hacker proof, unless you destroy it.

--

Chris Kranz
Fatcuban.com


--
gentoo-security@gentoo.org mailing list

Hi all, I want to "brainstorm" too!

On Mon, 14 Feb 2005 22:33:37 +0100, me <me@n-tek.ch> wrote:
> Well the deal more or less is:
>
> 1) Laptop is turned off: - try to break in without opening it or
> anything so bios password prevents this, laptop boots only from harddisk)
> 2) Laptop is booting: - try to break in (without changing boot order)
> grub pw prevents single user mode (encrypted partitions would prevent
> attack via windows)
> 3) Laptop is running, logged in with my user (member of wheel): -try to
> get root

Well.. this means... you have to be shure that you do not have any
keylogger, or "backdoor" on any command/path/file you use..
such has .bashrc, ssh, LD_LIBRARY_PATH, PATH, PROMPT_COMMAND,aliases..
basically.. if one gets a local admin acount.. one just has to
log&wait to find the root password, or ssh key password, your own
password (for sudo use.. for instance)..
passwords that you use for email, or whatever should be diferent, and
not remarcably similar.... I don't know you your mail client or
webbrowser keeps your saved passwords, even if cripted, the should be
easily crackable..

also take care with all setuid apps specially cdrecord, kdesu, and
other grafical config/admin tools...

watch out about your "talks" with the atacker, social engeneering
works pretty damm well...

Also be aware that exposing your personal computer to those
"adventures" means exposing your private keys(gpg, ssh) prefered
passwords, habbits, knowlegdges and personal configs... which is a
information leak that can lead to the breakin of other machines you
mantain... and from there, he might get even more info to get root on
your local machine.

Also be prepared not to log from that machine to any other remotely
important machine.. you might be being logged....


> 4) Laptop is running: -try to break in remotely and get user- or root-access

that means, choose carefully the services/applications that you have running.
every machine you use to do ssh's or other "admin" activity _must_ be
safe, or you will be 0wn3d! :p
Everytime I log to some machine/account that I use for work (I'm a
admin) I must be assured that the machine I'm typing is safe, of even
the logging of the keyboard/network will not compromise..
That means that, you on girlfriend, sister, father, or friend
computer, should never log to user acounts related to your work
without using ssh keys with password.. wich are configured in putty,
in my usb pen... (neat!!)
..
Well.. be paranoid.. I for once fell that anything is completelly
crackable...its just a matter of time and amount of efford.
Your best bet is to make him quit/desease that attempt. (that means
you've won btw!!)

>
> Points 3 and 4 are my main concern as 1 and 2 are relatively easy to prevent
>
> Thx for the infos so far
>
>
> Roland, Ryan M wrote:
>
> >Firstly, this sounds like a thinly veiled attempted to get this list to help
> >you secure your laptop, but since I'm bored ... :)
> >
> >What are the details of the bet? What constitutes 'hacked'? Simply logging
> >in? Or getting root?
> >
> >Also, physical access to the machine is a serious handicap to trying to
> >secure the thing against hacks. Make sure that the BIOS is set to boot from
> >HDD first and only. We don't want him throwing in a CD/floppy/USB key and
> >being able to boot to it. But even this can be overcome if they have
> >physical access by flashing or resetting the BIOS to defaults. If you want
> >an additional layer against that, using encrypted filesystems can help
> >mitigate that.
> >
> >Quicktables may let you get a firewall up without requiring much of an
> >understanding of iptables syntax:
> >
> >http://qtables.radom.org/index.php
> >
> >I often have an 'interactive', a 'idle' and 'locked' scripts. I run
> >'interactive' and it clears the table, and runs the set that is somewhat
> >open; allowing me to run gnutella, Gaim, IRC, mount network shares, etc. I
> >run 'idle' and it clears the table and closes everything down except my ssh
> >and web server ports. I run 'locked' and it closes down EVERYTHING.
> >
> >Running a nessus scan on the machine is also helpful in making sure that it
> >doesn't have any known network vulnerabilities in either the version or
> >configuration of your software/daemons.
> >
> >And there are many other steps that fall under the 'intrusion detection'
> >category that don't seem to be necessary (for your bet anyway) since you're
> >just blocking against attack, not trying to determine if, when, and how
> >someone got in.
> >
> >Anyway, just a few quick suggestions. Have fun!
> >
> >
> >Ryan Roland
> >
> >Application Developer
> >Information Technology
> >Division of Recreational Sports
> >Indiana University
> >
> >
> >-----Original Message-----
> >From: me [mailto:me@n-tek.ch]
> >Sent: Monday, February 14, 2005 15:47
> >To: gentoo-security@lists.gentoo.org
> >Subject: [gentoo-security] Securing Laptop with Gentoo
> >
> >Hello
> >
> >I have a Laptop wich is running Gentoo with 2.6.10 dev kernel which I
> >would like to make secure (locally/remotely). Thing is that our external
> >IT pro bet that he will hack my machine in no time, locally and remote.
> >Of course I said that he won't be able to do so Smile cos this is gentoo
> >and no color-bitmap distro with a lots of services running by default.
> >(I already read the Security Guide of gentoo and made my best out of it...)
> >
> >I just wanna prove him wrong with his saying "Linux is insecure, Windows
> >Server 2003 is much more secure..." (ok this is a desktop system but
> >it's just a detail Very Happy )
> >
> >I have difficulties with the hardened sources so that is probably not an
> >option.
> >
> >Because I have a laptop I have 3 different NICs, internal LAN, internal
> >WLAN, pcmcia WLAN, which i use in dhcp an static enviroments. I'm
> >absolutely new to iptables so if someone could give some hints to set it
> >up properly for a changing enviroment i would be thankful. ( I already
> >have it working in the kernel only the rules with changing enviroments
> >is the problem)
> >
> >What I did so far:
> >
> >-Bios Password (had that since ever)
> >-Grub Password (to prevent unauthorized single user mode)
> >-Emerged Cracklib to check for insecure passwords
> >-Emerged chkrootkit (Maybe AIDE or tripwire would also be a good idea)
> >
> >I don't have any special services running or at least I think that. I'm
> >using X with gnome. Apart from that everything should be standard...
> >
> >netstat -an |grep LISTEN gives the following output: (not sure about
> >those listening apps...)
> >
> >*Code:*
> >unix 2 [ ACC ] STREAM LISTENING 9368
> > /tmp/mapping-ph03n1x
> >unix 2 [ ACC ] STREAM LISTENING 6796
> > /var/run/acpid.socket
> >unix 2 [ ACC ] STREAM LISTENING 9151
> > /tmp/orbit-ph03n1x/linc-23a8-0-747990af24219
> >unix 2 [ ACC ] STREAM LISTENING 10230 /var/run/sdp
> >unix 2 [ ACC ] STREAM LISTENING 9250
> > /tmp/orbit-ph03n1x/linc-23cc-0-3c74524d40482
> >unix 2 [ ACC ] STREAM LISTENING 9450
> > /tmp/orbit-ph03n1x/linc-23e9-0-51420772e669c
> >unix 2 [ ACC ] STREAM LISTENING 9273
> > /tmp/orbit-ph03n1x/linc-23d0-0-234b493cb627
> >unix 2 [ ACC ] STREAM LISTENING 9295
> > /tmp/orbit-ph03n1x/linc-23ce-0-6fd415ea4991b
> >unix 2 [ ACC ] STREAM LISTENING 9312
> > /tmp/orbit-ph03n1x/linc-23d2-0-6fd415eaa17b7
> >unix 2 [ ACC ] STREAM LISTENING 9337
> > /tmp/orbit-ph03n1x/linc-23d6-0-2c6cd1b9c57f0
> >unix 2 [ ACC ] STREAM LISTENING 9481
> > /tmp/orbit-ph03n1x/linc-23eb-0-36888b137b61
> >unix 2 [ ACC ] STREAM LISTENING 9513
> > /tmp/orbit-ph03n1x/linc-23ed-0-2d56a133679c7
> >unix 2 [ ACC ] STREAM LISTENING 9549
> > /tmp/orbit-ph03n1x/linc-23ef-0-2d56a133e0eaa
> >unix 2 [ ACC ] STREAM LISTENING 9576
> > /tmp/orbit-ph03n1x/linc-23f1-0-1efbc33811b7b
> >unix 2 [ ACC ] STREAM LISTENING 9604
> > /tmp/orbit-ph03n1x/linc-23f3-0-1efbc3383485f
> >unix 2 [ ACC ] STREAM LISTENING 8760 /tmp/.gdm_socket
> >unix 2 [ ACC ] STREAM LISTENING 8914
> > /tmp/ssh-slrppa9099/agent.9099
> >unix 2 [ ACC ] STREAM LISTENING 8786 /tmp/.X11-unix/X0
> >unix 2 [ ACC ] STREAM LISTENING 8928
> > /tmp/orbit-ph03n1x/linc-239e-0-64ef23a484ccf
> >unix 2 [ ACC ] STREAM LISTENING 8937
> > /tmp/orbit-ph03n1x/linc-238b-0-1776021e90190
> >unix 2 [ ACC ] STREAM LISTENING 9115
> > /tmp/.ICE-unix/9099
> >unix 2 [ ACC ] STREAM LISTENING 9123
> > /tmp/keyring-z2lvfy/socket
> >unix 2 [ ACC ] STREAM LISTENING 9132
> > /tmp/orbit-ph03n1x/linc-23a6-0-5b616fb4ba76e
> >unix 2 [ ACC ] STREAM LISTENING 9925
> > /tmp/orbit-ph03n1x/linc-242d-0-5ed286a6e3a73
> >
> >
> >
> >Would be nice if some of you guys could point me to the main mistakes
> >someone unexperienced like me could make so I can fix that up or just
> >share your knowledge and experiences
> >
> >I would also like to run snort on my laptop I think it could make sense,
> >don't you?
> >
> >Whatever you have for me just shoot...
> >
> >
> >--
> >gentoo-security@gentoo.org mailing list
> >
> >
> >
> >
>
> --
> gentoo-security@gentoo.org mailing list
>
>


--
Miguel Sousa Filipe

--
gentoo-security@gentoo.org mailing list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 17 February 2005 04:23 am, Chris Kranz wrote:
> Gustavo Adolfo Silva Ribeiro Felisberto wrote:
> >>From what you say it all comes down to a few things:
> >
> > So if you do this i can pretty much guarantee you a safe box, even
> > against a high skilled cracker.
>
> Unfortunatly you can never guarantee a safe box, even if it takes
> someone to put take the hard disk apart in a clean room and read the
> data off the raw disks, there's always a way.

Look at http://loop-aes.sf.net/ - you can encrypt your root partition
(essentially entire fs, swap etc) and even boot the laptop from a cdrom or
usb stick. Using multi-key encrypted FS with a gpg secured keyfile is as safe
as a) the possession of the private key failing which b) your passphrase.

Look at diceware.com for a method of choosing a password with better than
2^128 bits of entropy and you can guard against (b) above.

With the above config, your laptop will be secure from walk up exploits when
off even against a skilled hacker. You have to then protect yourself against
keystroke loggers, either planted hardware or remote, physical coercion and
TEMPEST attacks. If you are worried about the latter then it makes no sense
to have a wireless card on board.

Of course when the laptop is ON and connected to the 'net all usual defenses
must apply and is certainly the weaker link. I would still run iptables (say
firehol) with a default drop policy since it eliminates return packets from
non-listening ports. Iptables is a smaller body of code than the entire
kernel.

Please note that encrypting your hard drive does not protect against
modification of blocks on the hard drive (which will be corrupt on
decryption). See:

http://mail.nl.linux.org/linux-crypto/2005-01/msg00076.html

However a crypto drive is the first real step to laptop security, which is the
abilty to deny access. There is no substitute for physical machine security.

A shameless plug: we sell loop-aes protected CryptoBook notebooks with Gentoo
at rayservers.com and will support Gentoo with every sale.

Best regards,

- ---Venkat.

http://www.rayservers.com/
Computers. Installed Secure. OpenPGP. AES Encrypted HD. Colocation.
Tel:+1-607-546-7300 Fax:+1-607-546-7387 Skype: rayservers
PGP/GPG Key: https://www.rayservers.com/keys/0x12430522.asc
4856 01AB F8BA E0EB F128 A57F 59D9 16FD 1243 0522
Your Privacy and Security are our Business [TM]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFCFLRjWdkW/RJDBSIRAvm4AJ44IK3S7SB4BVgvvINx0vVW23PRyQCgt61J
vQcktiC1RC58htK7i6zNjNs=
=Ef70
-----END PGP SIGNATURE-----

--
gentoo-security@gentoo.org mailing list

In case someone hasn't mentioned it yet, has he ever had access to
this laptop before by any chance? He may have already compromised it.
You might want to verify that it's clean now. It would make for a real
short contest if he already has a rootkit on there :)


On Thu, 17 Feb 2005 10:12:27 -0500, Venkat Manakkal
<venkat@rayservers.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thursday 17 February 2005 04:23 am, Chris Kranz wrote:
> > Gustavo Adolfo Silva Ribeiro Felisberto wrote:
> > >>From what you say it all comes down to a few things:
> > >
> > > So if you do this i can pretty much guarantee you a safe box, even
> > > against a high skilled cracker.
> >
> > Unfortunatly you can never guarantee a safe box, even if it takes
> > someone to put take the hard disk apart in a clean room and read the
> > data off the raw disks, there's always a way.
>
> Look at http://loop-aes.sf.net/ - you can encrypt your root partition
> (essentially entire fs, swap etc) and even boot the laptop from a cdrom or
> usb stick. Using multi-key encrypted FS with a gpg secured keyfile is as safe
> as a) the possession of the private key failing which b) your passphrase.
>
> Look at diceware.com for a method of choosing a password with better than
> 2^128 bits of entropy and you can guard against (b) above.
>
> With the above config, your laptop will be secure from walk up exploits when
> off even against a skilled hacker. You have to then protect yourself against
> keystroke loggers, either planted hardware or remote, physical coercion and
> TEMPEST attacks. If you are worried about the latter then it makes no sense
> to have a wireless card on board.
>
> Of course when the laptop is ON and connected to the 'net all usual defenses
> must apply and is certainly the weaker link. I would still run iptables (say
> firehol) with a default drop policy since it eliminates return packets from
> non-listening ports. Iptables is a smaller body of code than the entire
> kernel.
>
> Please note that encrypting your hard drive does not protect against
> modification of blocks on the hard drive (which will be corrupt on
> decryption). See:
>
> http://mail.nl.linux.org/linux-crypto/2005-01/msg00076.html
>
> However a crypto drive is the first real step to laptop security, which is the
> abilty to deny access. There is no substitute for physical machine security.
>
> A shameless plug: we sell loop-aes protected CryptoBook notebooks with Gentoo
> at rayservers.com and will support Gentoo with every sale.
>
> Best regards,
>
> - ---Venkat.
>
> http://www.rayservers.com/
> Computers. Installed Secure. OpenPGP. AES Encrypted HD. Colocation.
> Tel:+1-607-546-7300 Fax:+1-607-546-7387 Skype: rayservers
> PGP/GPG Key: https://www.rayservers.com/keys/0x12430522.asc
> 4856 01AB F8BA E0EB F128 A57F 59D9 16FD 1243 0522
> Your Privacy and Security are our Business [TM]
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
>
> iD8DBQFCFLRjWdkW/RJDBSIRAvm4AJ44IK3S7SB4BVgvvINx0vVW23PRyQCgt61J
> vQcktiC1RC58htK7i6zNjNs=
> =Ef70
> -----END PGP SIGNATURE-----
>
> --
> gentoo-security@gentoo.org mailing list
>
>

--
gentoo-security@gentoo.org mailing list

<paranoid>
Another thing, which weren't discussed yet is question of private keys.
I suggest is to keep all private keys on some other device than your
laptop.
This things have to be accessible after some passphrase or PIN.

Use Digital Signature to all and everywhere
</paranoid>

And when you connect to SSH or by another securized connection, you have
to know BEFORE, what certificate/key fingerprint the other host has.
This fingerprint is necessary to transport via other transport route
than physical connection (f.e paper + fax, GSM) to prevent
man-in-the-middle attack. And don't open connection when fingerprint
changed vithout previous confirmation of new fingerprint.

My next idea, which wasn't discussed yet is to disable all low-secure
encryption algorithms and hashes(f.e. arcfour) so you cannot
established low-secure connection or do cryptographicly weak hashes.

I vote also for RSBAC + Pax :).

Jerry

me wrote:

> Well thx all, I got far more info than i expected :)
>
> I now have at least a clue about what could be a whole and how I could
> secure it. I will definately need more time to look deeper into it but
> in a bit more than a week I have holidays that should help.
>
> I will definately:
>
> - Encrypt my filesystem
> - Have a close look at iptables
> - Have a look at ACLs etc.
> - Install portsentry
> - Maybe mess with LIDS
> - and much more... ;)
>
>
> Thx
>
> me
>
>
> --
> gentoo-security@gentoo.org mailing list
>
>


--
gentoo-security@gentoo.org mailing list

Yeah he had access but i was watching him closely. He wanted to show me
that he can access /etc/shadow with my user but of course he couldnt :)
(he didnt attach any drives or connected to the internet or whatever...)

100% sure that there is no rootkit from him ;)


Drew Kirkpatrick wrote:

>In case someone hasn't mentioned it yet, has he ever had access to
>this laptop before by any chance? He may have already compromised it.
>You might want to verify that it's clean now. It would make for a real
>short contest if he already has a rootkit on there :)
>
>
>On Thu, 17 Feb 2005 10:12:27 -0500, Venkat Manakkal
><venkat@rayservers.com> wrote:
>
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>On Thursday 17 February 2005 04:23 am, Chris Kranz wrote:
>>
>>
>>>Gustavo Adolfo Silva Ribeiro Felisberto wrote:
>>>
>>>
>>>>>From what you say it all comes down to a few things:
>>>>
>>>>So if you do this i can pretty much guarantee you a safe box, even
>>>>against a high skilled cracker.
>>>>
>>>>
>>>Unfortunatly you can never guarantee a safe box, even if it takes
>>>someone to put take the hard disk apart in a clean room and read the
>>>data off the raw disks, there's always a way.
>>>
>>>
>>Look at http://loop-aes.sf.net/ - you can encrypt your root partition
>>(essentially entire fs, swap etc) and even boot the laptop from a cdrom or
>>usb stick. Using multi-key encrypted FS with a gpg secured keyfile is as safe
>>as a) the possession of the private key failing which b) your passphrase.
>>
>>Look at diceware.com for a method of choosing a password with better than
>>2^128 bits of entropy and you can guard against (b) above.
>>
>>With the above config, your laptop will be secure from walk up exploits when
>>off even against a skilled hacker. You have to then protect yourself against
>>keystroke loggers, either planted hardware or remote, physical coercion and
>>TEMPEST attacks. If you are worried about the latter then it makes no sense
>>to have a wireless card on board.
>>
>>Of course when the laptop is ON and connected to the 'net all usual defenses
>>must apply and is certainly the weaker link. I would still run iptables (say
>>firehol) with a default drop policy since it eliminates return packets from
>>non-listening ports. Iptables is a smaller body of code than the entire
>>kernel.
>>
>>Please note that encrypting your hard drive does not protect against
>>modification of blocks on the hard drive (which will be corrupt on
>>decryption). See:
>>
>>http://mail.nl.linux.org/linux-crypto/2005-01/msg00076.html
>>
>>However a crypto drive is the first real step to laptop security, which is the
>>abilty to deny access. There is no substitute for physical machine security.
>>
>>A shameless plug: we sell loop-aes protected CryptoBook notebooks with Gentoo
>>at rayservers.com and will support Gentoo with every sale.
>>
>>Best regards,
>>
>>- ---Venkat.
>>
>>http://www.rayservers.com/
>>Computers. Installed Secure. OpenPGP. AES Encrypted HD. Colocation.
>>Tel:+1-607-546-7300 Fax:+1-607-546-7387 Skype: rayservers
>>PGP/GPG Key: https://www.rayservers.com/keys/0x12430522.asc
>>4856 01AB F8BA E0EB F128 A57F 59D9 16FD 1243 0522
>>Your Privacy and Security are our Business [TM]
>>
>>-----BEGIN PGP SIGNATURE-----
>>Version: GnuPG v1.2.3 (GNU/Linux)
>>
>>iD8DBQFCFLRjWdkW/RJDBSIRAvm4AJ44IK3S7SB4BVgvvINx0vVW23PRyQCgt61J
>>vQcktiC1RC58htK7i6zNjNs=
>>=Ef70
>>-----END PGP SIGNATURE-----
>>
>>--
>>gentoo-security@gentoo.org mailing list
>>
>>
>>
>>
>
>--
>gentoo-security@gentoo.org mailing list
>
>
>
>
>



--
gentoo-security@gentoo.org mailing list

> Yeah he had access but i was watching him closely. He wanted to show me
> that he can access /etc/shadow with my user but of course he couldnt :)
> (he didnt attach any drives or connected to the internet or whatever...)
>
> 100% sure that there is no rootkit from him ;)

You don't need to connect to the internet to infect an account. If you looked
away for a while, he could easily edit your ~/.bashrc or ~/.bash_profile file
and add an extra alias for sudo, or ssh, or su, or something similar, so that
it echoed whatever you typed in as the password to /tmp/ somewhere, and then
ran the program as normal... Or other similar situations. If he had done this,
then when it came to the time for him to hack your machine, he could just check
the file in temp, and get all your passwords that you had used from the account.

Anyway,

Dan

--
http://www.madprof.net


--
http://www.madprof.net

--
gentoo-security@gentoo.org mailing list