Date: Sun, 20 Apr 2003 16:36:00 -0500 From: kitsune <kitsune@gmx.co.uk> To: Dan <suedes098@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: running freebsd in read only mode And avoiding ssh man-in-the-middle Message-ID: <20030420163600.46cb1d37.kitsune@gmx.co.uk> In-Reply-To: <20030419150301.52046.qmail@web10005.mail.yahoo.com> References: <20030420105711.5b213c20.kitsune@gmx.co.uk> <20030419150301.52046.qmail@web10005.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 19 Apr 2003 08:03:01 -0700 (PDT) Dan <suedes098@yahoo.com> wrote: > > --- kitsune <kitsune@gmx.co.uk> wrote: > > On Sat, 19 Apr 2003 07:20:19 -0700 (PDT) > > Dan <suedes098@yahoo.com> wrote: > > > > > Hello, > > > > > > I'm looking into how i can run freebsd in > > read-only > > > mode. I looked around for info on this, but was > > > unsuccesful at finding anything that helped me in > > my > > > particular situation. I'm involved in a security > > > contest kind of like defcon at my college. Of > > course i > > > picked FreeBsd as my O.S. to secure. I am on the > > > defensive side of the game, and get points for the > > > more access and services i allow to the attackers. > > So > > > here is the situation. What i would like to be > > able to > > > do is boot into freebsd and have it be completely > > > read-only. For example, if i give a user shell > > access > > > they can't change anything, they can use the > > programs, > > > but not create or delete anyfiles what so ever. I > > want > > > to be able to run a lot of services, and not allow > > > succesful attacks to change anything on the > > compute > > > that way they can have telnet and all the weekest > > > protocls freely open, and even if they sniff my > > > administration password through a man in the > > middle > > > attacker or what not they can't change it or do > > > anything to affect the comp. > > > Any suggestions, or help would be greatly > > > appreciated. > > > > > > Dan > > > > It is possible of mounting everything that is needed > > as read only. But that won't a dif if ye are running > > services that are not secure since thay will > > continue to present a threat. If they can get the > > root password it does not make a dif since then the > > can just easily be remounted so it is writable. > > > > Like in other OSes, it is best not to take stupid > > risks with dangerous services and make sure all the > > file permissions are good. > > ok sounds like the voice of reason to me. then on > another note, how can i make sure that i do not fall > under a man in the middle attack, while sshing to my > box? last semester the game was one by one team who > simply man in the middled, everyone and just collected > all the passwords. Any suggestions?? and thank you > very much for the advice, although i will lookinto it > a little more, it looks like i won't take that path. > > Dan Heavy encryption. Encryt it twice and maybe even compress it at the same time. This requires the person in the middle actually know what is going on if the person is the middle wishes to make sense of it. Here is some fun stuff http://www.freebsd.org/cgi/url.cgi?ports/security/zebedee/pkg-descr http://www.freebsd.org/cgi/url.cgi?ports/security/sslwrap/pkg-descr http://www.freebsd.org/cgi/url.cgi?ports/security/bjorb/pkg-descr http://www.freebsd.org/cgi/url.cgi?ports/security/sslproxy/pkg-descr http://www.freebsd.org/cgi/url.cgi?ports/security/stunnel/pkg-descr http://www.freebsd.org/cgi/url.cgi?ports/net/SSLtelnet/pkg-descr http://www.freebsd.org/cgi/url.cgi?ports/security/slush/pkg-descr
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030420163600.46cb1d37.kitsune>