Date: Mon, 26 Jun 2000 07:54:54 +0200 From: Poul-Henning Kamp <phk@critter.freebsd.dk> To: Gerhard Sittig <Gerhard.Sittig@gmx.net> Cc: security@FreeBSD.ORG Subject: Re: jail(8) Honeypots Message-ID: <15310.961998894@critter.freebsd.dk> In-Reply-To: Your message of "Sun, 25 Jun 2000 22:35:49 %2B0200." <20000625223549.I9883@speedy.gsinet>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20000625223549.I9883@speedy.gsinet>, Gerhard Sittig writes: >On Sun, Jun 25, 2000 at 20:13 +0200, Poul-Henning Kamp wrote: >> >> Jails(8) are probably the currently safest way to do it, but >> not the most "authentic" looking way. Finding out that you're >> in a jail is trivial and I pressume that it will become common >> knowledge for script-kiddies RSN. > >Besides the /proc/$PID/status field and the 'J' in ps' status >field - which I feel to be cosmetic or for plain information and >not really the final word - what else criteria would be there to >check? I can't think of any -- at least not a reliable one. Bind a socket at 127.0.0.1 and notice with getsockname() that it isn't. Ping doesn't work. I belive "kill -0 1" will also tell you. >This leads to the question: Was the intent behind the jail(2) >mechanism to isolate a process group or was it to fake a machine? >I guess it was the former, but could be turned into the latter. >And I'm sure you will tell me if I'm wrong. :) The former, and significant amounts of code will have to be written to make it the latter. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD coreteam member | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15310.961998894>