Hi list Several people have physical access to my FreeBSD box and I have the feeling that somebody try to get access with boot -s options . Can I log activity after boot -s option (change user password, install software and etc.). I use boot -s and change user password, but after reboot i can't find this atcivity in log files. The BSD box is shutdown and run again many time at day. Best regards, Nikolay Kanchev E-mail: niki@amk-drives.bg
On Tue, 16 Sep 2003 11:02:05 +0100 "Nikolay Kanchev" <niki@amk-drives.bg> wrote:> Several people have physical access to my FreeBSD box and I have the > feeling that somebody try to get access with boot -s options . Can I > log activity after boot -s option (change user password, install > software and etc.). I use boot -s and change user password, but after > reboot i can't find this atcivity in log files. > The BSD box is shutdown and run again many time at day.Why not set console in /etc/ttys to insecure? Then you can't login without a password. br socketd
On Tue, 16 Sep 2003, Socketd wrote:> > The BSD box is shutdown and run again many time at day.Why is the box shutdown??? Are you doing kernel development or advanced devicedriver development? Why are you many persons on sutch a system in that case? And if you are doing kernel development all must have root access anyway? There is *no* reason to shut down the system in ordinary maintainance! GH ---------------------------------------------------------------- G?ran Hasse email: gh@raditex.se Tel: 08-6949270 Raditex AB http://www.raditex.se Fax: 08-4420570 Sickla Alle 7, 1tr Mob: 070-5530148 131 34 NACKA, SWEDEN
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1> Several people have physical access to my FreeBSD box and I have the feeling > that somebody try to get access with boot -s options . Can I log activity > after boot -s option (change user password, install software and etc.). > I use boot -s and change user password, but after reboot i can't find this > atcivity in log files. > The BSD box is shutdown and run again many time at day.Well, there might be some stuff you can do - maybe you can mod the kernel to log every execve(2) to a serial port or a line printer - maybe you could even log over the net or something. I've seen some patches to bash floating around that make logging of command history mandatory - this is a pretty useless approach if your attacker is at all sophisticated, but if the attacker is really clueless, it might help. Of course in this case, writing to disk will be problematic, because when you start up, the filesystem will be mounted read-only, and you can't necesarily count on any particular filesystem ever being read-write, and if a filesystem does become read-write, you'll have to take advantage of it quickly, because you don't know how long it's going to stay read-write. You could get a hardware keystroke logger - thinkgeek.com has one, and another company I forget the name of - find the tinfoilhat linux webpage, and start following links. If the attacker doesn't think to look for something like this, and if you have the money to spend, this might be the easiest approach for you. If someone has physical access to your machine, though, there's only so much you can do. The attacker can boot external media like floppies or cd's, and then alter your disk from there. You could configure the machine not to boot external media and set a bios password, but then the attacker could just open the machine, take the hard disk out, plug it into another computer and alter it there. Really the only thing you can do is to limit physical access - unless you are prepared to shell out for tamper-proof machines with crypto hardware, anyone with physical access can take over your system. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/ZtPhswXMWWtptckRAiqUAJ0a3fkvuPh2Vxj4veQSeQIBw5X7qACfR3WM GnNSEeKaC08vpJHMM/BQE3k=6Nxn -----END PGP SIGNATURE-----
Thanks all I know that if someone have physical access to my servers can penetrade into them. And this is a reason to test this guys with this fake server. Some of them thinks that they are "hackers" and try to crack passwords, install backdors and etc. For now not very successfully ;-) I will try to mod the kernel, hardware keylogers are expensive for me. Test complete after one week and I'm not sure that I have time to mod kernel, but now I find one free security camera and will install it in the room with box and capture guys activity, that I will have a proof :-) Best Regards Nikolay Kanchev ----- Original Message ----- From: "G Hasse" <gh@raditex.se> To: "Jason Stone" <freebsd-security@dfmm.org> Cc: "Nikolay Kanchev" <niki@amk-drives.bg> Sent: Tuesday, September 16, 2003 1:16 PM Subject: Re: boot -s - can i detect intruder On Tue, 16 Sep 2003, Jason Stone wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Several people have physical access to my FreeBSD box and I have thefeeling> > that somebody try to get access with boot -s options . Can I logactivity> > after boot -s option (change user password, install software and etc.). > > I use boot -s and change user password, but after reboot i can't findthis> > atcivity in log files. > > The BSD box is shutdown and run again many time at day. > > Well, there might be some stuff you can do - maybe you can mod the kernel > to log every execve(2) to a serial port or a line printer - maybe you > could even log over the net or something. > > I've seen some patches to bash floating around that make logging of > command history mandatory - this is a pretty useless approach if your > attacker is at all sophisticated, but if the attacker is really clueless, > it might help. Of course in this case, writing to disk will be > problematic, because when you start up, the filesystem will be mounted > read-only, and you can't necesarily count on any particular filesystem > ever being read-write, and if a filesystem does become read-write, you'll > have to take advantage of it quickly, because you don't know how long it's > going to stay read-write. > > You could get a hardware keystroke logger - thinkgeek.com has one, and > another company I forget the name of - find the tinfoilhat linux webpage, > and start following links. If the attacker doesn't think to look for > something like this, and if you have the money to spend, this might be the > easiest approach for you.Note that on line 429 in init_main.c (FreeBSD 4.8) there is a list of shells to run. Normaly /sbin/init is run and in single user mode the user could select a shell of his own. (normaly sh). In that case it is possible to replase the normal sh and have a shell that loggs every command to a line-printer. G?ran Hasse ---------------------------------------------------------------- G?ran Hasse email: gh@raditex.se Tel: 08-6949270 Raditex AB http://www.raditex.se Fax: 08-4420570 Sickla Alle 7, 1tr Mob: 070-5530148 131 34 NACKA, SWEDEN
maybe a hidden web cam. i'm told there are some, that fire up triggered by motion. mario;> - - - - - - - - House Of Sites - - - - - - - - Web Design :: Programming :: Hosting :: Maintenance Web site: http://www.HouseOfSites.net Email: mario@HouseOfSites.net Tel: 415-242-3376 ---------------------------------------------------- Do you schmut!? http://www.schmut.com> Hi list > > Several people have physical access to my FreeBSD box and I have the > feeling that somebody try to get access with boot -s options . Can I log > activity after boot -s option (change user password, install software > and etc.). I use boot -s and change user password, but after reboot i > can't find this atcivity in log files. > The BSD box is shutdown and run again many time at day. > > Best regards, > > Nikolay Kanchev > > E-mail: niki@amk-drives.bg > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org"