|
FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Bypassing & detecting nonexistant home and nologin
How do attackers gain access to a *nix box by exploit services running as unprivileged users with no home directory and without a shell?
On the host level, is there a way to detect attackers when they are in the limbo phase created by exploiting a service like that? |
|
|||
They never can actually gain access to *nix box in that way ........
|
|
||||
Quote:
At the network level you could employ a NIDS for early detection.
__________________
Kill your t.v. |
|
|||
People exploit Apache all the time, so I know it's possible. For example in Absolute FreeBSD 2nd edition the author said the attacker can get around not having a home directory by using /tmp which is world writable.
I suspect a way to detect an attack on Apache running as user 'www' where perhaps the attacker hasn't yet gotten full access would be to check /tmp for files owned by www. It just seems like there has to be more sophisticated ways to detect something like that on the host level. Such as the Kernel realizing and logging commands that the user www is trying to carry out. |
|
|||
What kind of application logging is there? Could you specify that all services running as unprivileged users should have the applications they run logged?
|
|
||||
Quote:
In the case of apache, you could also consider running it inside a FreeBSD jail. At least in this case you can keep a "cold spare" backup of the jail on standby and learn enough from an exploit to lock it down and then fire it up again. Additionally, even if apache within a jail is compromised, it'll be a lot more difficult to cause problems on the host system.
__________________
Kill your t.v. |
|
||||
Quote:
__________________
Kill your t.v. |
|
|||
Quote:
|
|
|||
If you're interested in preventing attacks through necessary services you can give /tmp it's own partition and mount it with the nodev,nosuid, and noexec flags.
It's no guarantee, but it should be part of a larger security policy, and it's one place to start. |
|
|||
So far I really like the Security Event Auditing. The FreeBSD Handbook showed something similar to what I wanted.
Code:
root:lo,+ex:no www:fc,+ex:no I also found BSMtrace, which is basically a context based HIDS, which uses those audit trails. Here's some of the things it can do. Quote:
|
|
|||
Thanks, that seems like a good way to fix someone without a home directory trying to use /tmp.
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
FTP users sharing same home directory | phreud | FreeBSD General | 6 | 11th November 2008 10:11 PM |
NFS mount /usr/home? | giddyupman | FreeBSD General | 1 | 1st September 2008 07:06 PM |
Adding a separate /home | JMJ_coder | NetBSD General | 2 | 29th August 2008 10:45 AM |
Questions about my home configuration services | aleunix | OpenBSD Security | 9 | 12th June 2008 01:54 PM |
Home Button | JMJ_coder | Feedback and Suggestions | 4 | 5th May 2008 05:13 PM |