[CentOS] an actual hacked machine, in a preserved state

Lamar Owen lowen at pari.edu
Thu Jan 5 19:58:02 UTC 2012


On Thursday, January 05, 2012 02:25:50 PM Ljubomir Ljubojevic wrote:
> What is sentiment about having dedicated box with only ssh, and then use 
> that one to raise ssh tunnels to inside systems? So there is no exploits 
> to be used, denyhosts in affect?

Without being too specific, I already do this sort of thing, but with two 'bastion' hosts in a failover/load-balanced scenario on physical server hardware.

I use a combination of firewalling to keep incoming on port 22 out of the other hosts, using nat rules, cisco incoming and outgoing acls on the multiple routers between the servers and the 'outside' world, iptables, and other means.  In particular, Cisco's NAT 'extendable' feature enables interesting layer 4 switching possibilities.

I'm not going to say that it's perfectly secure and won't ever allow a penetration, but it seems to be doing a pretty good job at the moment.

Improvements I could make would include:
1.) Boot and run the bastion hosts from customized LiveCD or LiveDVD on real DVD-ROM read-only drives with no persistent storage (updating the LiveCD/DVD image periodically with updates and with additional authentication users/data as needed; DVD+RW works very well for this as long as the boot drive is a DVD-ROM and not an RW drive!);
2.) Scheduled rolling reboots of the bastion hosts using a physical power timer (rebooting each machine at a separate time once every 24 hours during hours remote use wouldn't happen (best time is during local lunchtime, actually); the boxes are set to power on automatically upon power restoration after loss);
3.) Port knocking and similar techniques for the bastion hosts in addition to the layered ssh solution in place (I'm using NX, which logins in as the nx user via keys first, then authenticates the user, either with keys or with a password);
4.) Packetfence or similar snort IDS box sitting on the ethernet VLANs of these boxes with custom rules designed to detect intrusions in progress and dynamically add acls to the border routers upon detection (this one will take a while);

I'm still thinking of unusual ways of securing; I've looked at tarpits and honeypots, too, and have really enjoyed some of the more arcane advice I've seen on this list in the past.  I still want the device used to remotely fry the computer in the movie 'Electric Dreams' personally..... :-)



More information about the CentOS mailing list