Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

RE: Re: Echo off in IO::Sockets

by Ozymandias (Hermit)
on Sep 04, 2000 at 20:13 UTC ( #31039=note: print w/replies, xml ) Need Help??


in reply to Re: Echo off in IO::Sockets
in thread Echo off in IO::Sockets

This is a very bad idea.

The problem is that you're getting overly complex. The only reason for creating a box with intentional security vulnerabilities is to create a honey pot system for intrustion detection/cracker investigation, and that's not something you want to be playing with. Honey pots and honey nets are widely known by both real crackers and script kiddies, and as such running on is a good way to become a frequent target. If that's what you want, then don't go to all this trouble; just run wu-ftpd and straight telnet.

If you want a secure box, on the other hand, then you do NOT want to play The Shell Game. That's been done, over and over again, and every time the person running it thinks it's a reall cool idea guar-an-teed to make their system into a castle.

The problem is that you're letting them in in order to trap them. Think of the castle analogy; the root account is the castle keep, the throne room, along with all your critical files. IPCHAINS and other firewalling software are the outer walls. Every open port is a separate gatehouse into the castle; you might put passwords and access control lists in place to restrict it, like drawbridges and guards, but it's still a gateway into the castle.

What you're trying to do here is to create a blind alley gatehouse, a way into the castle that doesn't lead anywhere. You want to let your enemy in, then observe what they do once they're there.

That sounds good for the castle, but it's where the analogy breaks down. Castles have thick granite walls and iron gates and guards with real, thinking brains and pointy things to annoy the intruder. Your computer is an unthinking automation, which will do exactly what you say but won't think about what it's doing, and it will work for the intruder as well as it does for you. Once you let them into that blind pocket, they're inside your wall. If you do that, EVERYTHING has to be perfect, and EVERYTHING has to work exactly right, or you can kiss your system good-bye. It never, ever will be perfect. Don't even pretend for an instant that you can make it that way. Nothing is perfect, nothing is absolutely secure if it's on the Internet. The most you can do is create a strong, simple security model. And that's already been done. Bastille Linux is a good place to start if you are willing to use a RedHat derivative. (Don't try to impress me with your Slackware bigotry; the only thing Slackware does better than RedHat is allow you to shoot yourself in the foot with compiled source rather than packages. It still hurts.) Another good place is LinuxSecurity.com. The Linux Security HOW-TO is another good place to start. You'll notice none of them advocate things like your fake Telnet server.

- email Ozymandias

Replies are listed 'Best First'.
RE (tilly) 3: Echo off in IO::Sockets
by tilly (Archbishop) on Sep 04, 2000 at 20:27 UTC
    Not to reply to everything you write today, but seconded and agreed. In addition using ftp for administration is a bad idea. It doesn't matter whether nobody knows what ftpd you have, you are still sending your passwords in the clear to your box where anyone can pick them up!

    Rather than trying to think up cool security tricks, spend some time learning what people who have been doing this for some time think. I might have given a different list than Ozymandias did, but I don't disagree with anything he listed and he gave you enough reading material for a bit.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://31039]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (6)
As of 2020-03-30 17:27 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    To "Disagree to disagree" means to:









    Results (175 votes). Check out past polls.

    Notices?