Thread: [F1 Security] Need help to accomplish the following
View Single Post

   
  #8 (permalink)  
Old 02-16-2008, 08:08 AM
DMFH
 
Posts: n/a
Default Re: [F1 Security] Need help to accomplish the following
On 2006-01-16, jKILLSPAM.schipper@math.uu.nl <jKILLSPAM.schipper@math.uu.nl>
wrote:

> DMFH <dmfh@n0spam.dmfh.cx.spamn0t> wrote:

>>
>> The simple answer might be to generate a list of commands that reveal PID
>> information and restrict them to the root user, also changing the name
>> of root to something else so it's non-obvious which login account may get
>> you root access. This will not prevent savvy coders from writing their
>> own code, but that also assumes that there will be live users logging into
>> the box.
>
> It does also not present anyone with half a clue from getting src.tar.gz
> and compiling them by hand. I.e., only the worst script kiddies will
> actually be stopped by this if they do not wish to be.
>
> (And while cutting down on access to prevent file copying is annoying,
> it's just a little scripting challenge to anything with a bit of a
> clue.)

Absolutely - assuming a compiler will always be on hand for users to user,
which would always be the case with PERL on the system. I got that idea
from my old days of SunOS 4.1.3_U1, making menu systems for users and trying
to prevent shell escapes.


> I'm not certain how to interpret this, but for OpenBSD generated packets
> pf(4) is not necessary:
>
> See http://www.cert.org/advisories/CA-2001-09.html - OpenBSD randomizes
> pretty well by default. (In fact, I'd think modulate state would produce
> pretty much the same as just the default.)

I think we're talking about two different features here perhaps? I was
referring to the random IP ID generator in PF, and I think you're
talking about the state modulation function, which indeed doesn't need
PF and is a part of the IP core of OpenBSD - where a strong, random
ISN (Initial Sequence Number) is generated for TCP/IP sockets, instead of
the brain-dead way other OS's do it, like adding +10 to the last, etc.
This prevenets "man-in-the-middle" attacks to some degree, etc., etc.

> People who ask this question tend to be very happy when told that
> OpenBSD can block nmap (via pf's 'OS detection').

I've never quite used this, but I have considered using it on my mailer to
automagically drop what must be bogon MTA's coming from Windows desktop
systems that probably are SPAM trafficers - what's your opinion?


----
__| |_ __ / _| |_ ____ __
dmfh @ / _` | ' \| _| ' \ _ / _\ \ /
\__,_|_|_|_|_| |_||_| (_) \__/_\_\
----
Reply With Quote