From owner-freebsd-questions@FreeBSD.ORG Sat Apr 19 13:36:28 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C182337B401 for ; Sat, 19 Apr 2003 13:36:28 -0700 (PDT) Received: from mail.gmx.net (pop.gmx.de [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 9758C43FE9 for ; Sat, 19 Apr 2003 13:36:27 -0700 (PDT) (envelope-from kitsune@gmx.co.uk) Received: (qmail 3420 invoked by uid 65534); 19 Apr 2003 20:36:26 -0000 Received: from ip68-109-49-234.lu.dl.cox.net (EHLO fortytwo.) (68.109.49.234) by mail.gmx.net (mp013-rz3) with SMTP; 19 Apr 2003 22:36:26 +0200 Date: Sun, 20 Apr 2003 16:36:00 -0500 From: kitsune To: Dan Message-Id: <20030420163600.46cb1d37.kitsune@gmx.co.uk> In-Reply-To: <20030419150301.52046.qmail@web10005.mail.yahoo.com> References: <20030420105711.5b213c20.kitsune@gmx.co.uk> <20030419150301.52046.qmail@web10005.mail.yahoo.com> X-Mailer: Sylpheed version 0.8.2claws (GTK+ 1.2.10; i386-portbld-freebsd4.7) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: running freebsd in read only mode And avoiding ssh man-in-the-middle X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Apr 2003 20:36:29 -0000 On Sat, 19 Apr 2003 08:03:01 -0700 (PDT) Dan wrote: > > --- kitsune wrote: > > On Sat, 19 Apr 2003 07:20:19 -0700 (PDT) > > Dan wrote: > > > > > Hello, > > > > > > I'm looking into how i can run freebsd in > > read-only > > > mode. I looked around for info on this, but was > > > unsuccesful at finding anything that helped me in > > my > > > particular situation. I'm involved in a security > > > contest kind of like defcon at my college. Of > > course i > > > picked FreeBsd as my O.S. to secure. I am on the > > > defensive side of the game, and get points for the > > > more access and services i allow to the attackers. > > So > > > here is the situation. What i would like to be > > able to > > > do is boot into freebsd and have it be completely > > > read-only. For example, if i give a user shell > > access > > > they can't change anything, they can use the > > programs, > > > but not create or delete anyfiles what so ever. I > > want > > > to be able to run a lot of services, and not allow > > > succesful attacks to change anything on the > > compute > > > that way they can have telnet and all the weekest > > > protocls freely open, and even if they sniff my > > > administration password through a man in the > > middle > > > attacker or what not they can't change it or do > > > anything to affect the comp. > > > Any suggestions, or help would be greatly > > > appreciated. > > > > > > Dan > > > > It is possible of mounting everything that is needed > > as read only. But that won't a dif if ye are running > > services that are not secure since thay will > > continue to present a threat. If they can get the > > root password it does not make a dif since then the > > can just easily be remounted so it is writable. > > > > Like in other OSes, it is best not to take stupid > > risks with dangerous services and make sure all the > > file permissions are good. > > ok sounds like the voice of reason to me. then on > another note, how can i make sure that i do not fall > under a man in the middle attack, while sshing to my > box? last semester the game was one by one team who > simply man in the middled, everyone and just collected > all the passwords. Any suggestions?? and thank you > very much for the advice, although i will lookinto it > a little more, it looks like i won't take that path. > > Dan Heavy encryption. Encryt it twice and maybe even compress it at the same time. This requires the person in the middle actually know what is going on if the person is the middle wishes to make sense of it. Here is some fun stuff http://www.freebsd.org/cgi/url.cgi?ports/security/zebedee/pkg-descr http://www.freebsd.org/cgi/url.cgi?ports/security/sslwrap/pkg-descr http://www.freebsd.org/cgi/url.cgi?ports/security/bjorb/pkg-descr http://www.freebsd.org/cgi/url.cgi?ports/security/sslproxy/pkg-descr http://www.freebsd.org/cgi/url.cgi?ports/security/stunnel/pkg-descr http://www.freebsd.org/cgi/url.cgi?ports/net/SSLtelnet/pkg-descr http://www.freebsd.org/cgi/url.cgi?ports/security/slush/pkg-descr