On Mon, Dec 03, 2001 at 02:21:07PM +0100, Mathias Gygax wrote: > On Son, Dez 02, 2001 at 08:47:41 +1000, mdevin@ozemail.com.au wrote: > > Don't forget to protect lidsadm binary. This is the interface for > supplying a password to deactivate the features in the kernel. > The password can't be cracked directly (brute force or either) because > of a trojaned lidsadm binary. But they [the attackers] could intercept > the password with a trojaned interface. > > > Prior to doing this though, I am going to re-write my iptables firewall > > to include NAT (masquerading) for my internal LAN and install libsafe. > > Give the openwall non-exex-stack patch a thrill. Many buffer-overflows > (yet not every flavour is protected) will not work any more. Libsafe IIRC is > good for the format string vulns, but if you can, protect it in the > kernel. > > Fefe did a start on writting diet libc for a better protected libc: > http://www.fefe.de/dietlibc/ > I am just a little confused now on the libsafe / openwall / dietlibc stuff. Is it recommended to do all 3? From what I can see, there doesn't seem to be an openwall patch yet for 2.4 kernels and dietlibc seems to be providing a cut-down libc to create smaller binaries by statically linking etc. I was just going to install libsafe and LIDS. Are you recommending more? When you mentioned that you were going to set up a computer with LIDS and hand-out root passwords to everybody for a challenge to try and crack it; What will you have installed on this computer? Will it be LIDS and libsafe for the protection or more? Thanks Mark.
Attachment:
pgpr0ku_BHkKy.pgp
Description: PGP signature