From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 03:39:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F19F816A4B3 for ; Tue, 16 Sep 2003 03:39:02 -0700 (PDT) Received: from amk-drives.bg (ns.amk-drives.bg [62.73.77.208]) by mx1.FreeBSD.org (Postfix) with SMTP id 55FA443FB1 for ; Tue, 16 Sep 2003 03:38:55 -0700 (PDT) (envelope-from niki@amk-drives.bg) Received: (qmail 28560 invoked by uid 1005); 16 Sep 2003 10:39:30 -0000 Received: from unknown (HELO kanchev) (192.168.0.13) by 192.168.0.100 with SMTP; 16 Sep 2003 10:39:27 -0000 Message-ID: <01e901c37c4f$646cfa30$0d00a8c0@amkdrives.bg> From: "Nikolay Kanchev" To: References: <20030916120621.X69601-100000@gandalf.raditex.se> Date: Tue, 16 Sep 2003 13:38:11 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Virus-Scanned: by AMaViS perl-11 Subject: Re: boot -s - can i detect intruder X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 10:39:03 -0000 Thanks all I know that if someone have physical access to my servers can penetrade into them. And this is a reason to test this guys with this fake server. Some of them thinks that they are "hackers" and try to crack passwords, install backdors and etc. For now not very successfully ;-) I will try to mod the kernel, hardware keylogers are expensive for me. Test complete after one week and I'm not sure that I have time to mod kernel, but now I find one free security camera and will install it in the room with box and capture guys activity, that I will have a proof :-) Best Regards Nikolay Kanchev ----- Original Message ----- From: "G Hasse" To: "Jason Stone" Cc: "Nikolay Kanchev" Sent: Tuesday, September 16, 2003 1:16 PM Subject: Re: boot -s - can i detect intruder On Tue, 16 Sep 2003, Jason Stone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Several people have physical access to my FreeBSD box and I have the feeling > > that somebody try to get access with boot -s options . Can I log activity > > after boot -s option (change user password, install software and etc.). > > I use boot -s and change user password, but after reboot i can't find this > > atcivity in log files. > > The BSD box is shutdown and run again many time at day. > > Well, there might be some stuff you can do - maybe you can mod the kernel > to log every execve(2) to a serial port or a line printer - maybe you > could even log over the net or something. > > I've seen some patches to bash floating around that make logging of > command history mandatory - this is a pretty useless approach if your > attacker is at all sophisticated, but if the attacker is really clueless, > it might help. Of course in this case, writing to disk will be > problematic, because when you start up, the filesystem will be mounted > read-only, and you can't necesarily count on any particular filesystem > ever being read-write, and if a filesystem does become read-write, you'll > have to take advantage of it quickly, because you don't know how long it's > going to stay read-write. > > You could get a hardware keystroke logger - thinkgeek.com has one, and > another company I forget the name of - find the tinfoilhat linux webpage, > and start following links. If the attacker doesn't think to look for > something like this, and if you have the money to spend, this might be the > easiest approach for you. Note that on line 429 in init_main.c (FreeBSD 4.8) there is a list of shells to run. Normaly /sbin/init is run and in single user mode the user could select a shell of his own. (normaly sh). In that case it is possible to replase the normal sh and have a shell that loggs every command to a line-printer. Göran Hasse ---------------------------------------------------------------- Göran Hasse email: gh@raditex.se Tel: 08-6949270 Raditex AB http://www.raditex.se Fax: 08-4420570 Sickla Alle 7, 1tr Mob: 070-5530148 131 34 NACKA, SWEDEN