boot -s - can i detect intruder

Nikolay Kanchev niki at amk-drives.bg
Tue Sep 16 03:39:03 PDT 2003 

Thanks all

I know that if someone have physical access to my servers can penetrade into
them. And this is a reason to test this guys with this fake server. Some of
them thinks that they are "hackers" and try to crack passwords, install
backdors and etc. For now not very successfully ;-)

I will try to mod the kernel, hardware keylogers are expensive for me.

Test complete after one week and I'm not sure that I have time to mod
kernel, but now I find one free security camera and will install it in the
room with box and capture guys activity, that I will have a proof :-)

Best Regards
Nikolay Kanchev


----- Original Message ----- 
From: "G Hasse" <gh at raditex.se>
To: "Jason Stone" <freebsd-security at dfmm.org>
Cc: "Nikolay Kanchev" <niki at amk-drives.bg>
Sent: Tuesday, September 16, 2003 1:16 PM
Subject: Re: boot -s - can i detect intruder


On Tue, 16 Sep 2003, Jason Stone wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> > Several people have physical access to my FreeBSD box and I have the
feeling
> > that somebody try to get access with boot -s options . Can I log
activity
> > after boot -s option (change user password, install software and etc.).
> > I use boot -s and change user password, but after reboot i can't find
this
> > atcivity in log files.
> > The BSD box is shutdown and run again many time at day.
>
> Well, there might be some stuff you can do - maybe you can mod the kernel
> to log every execve(2) to a serial port or a line printer - maybe you
> could even log over the net or something.
>
> I've seen some patches to bash floating around that make logging of
> command history mandatory - this is a pretty useless approach if your
> attacker is at all sophisticated, but if the attacker is really clueless,
> it might help.  Of course in this case, writing to disk will be
> problematic, because when you start up, the filesystem will be mounted
> read-only, and you can't necesarily count on any particular filesystem
> ever being read-write, and if a filesystem does become read-write, you'll
> have to take advantage of it quickly, because you don't know how long it's
> going to stay read-write.
>
> You could get a hardware keystroke logger - thinkgeek.com has one, and
> another company I forget the name of - find the tinfoilhat linux webpage,
> and start following links.  If the attacker doesn't think to look for
> something like this, and if you have the money to spend, this might be the
> easiest approach for you.

Note that on line 429 in init_main.c (FreeBSD 4.8) there is a list
of shells to run. Normaly /sbin/init is run and in single user mode
the user could select a shell of his own. (normaly sh). In that case
it is possible to replase the normal sh and have a shell that loggs
every command to a line-printer.

Göran Hasse

----------------------------------------------------------------
Göran Hasse            email: gh at raditex.se     Tel: 08-6949270
Raditex AB             http://www.raditex.se    Fax: 08-4420570
Sickla Alle 7, 1tr                              Mob: 070-5530148
131 34  NACKA, SWEDEN

More information about the freebsd-security mailing list