Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: a secure base system
From: Ron DuFresne <dufresne () winternet com>
Date: Mon, 15 Mar 2004 11:54:30 -0600 (CST)

On Mon, 15 Mar 2004, Jochem Kossen wrote:

On Mon, Mar 15, 2004 at 12:37:13PM +0100, harry wrote:
hi all,

i have a little question. i'm asked to set up a base system, which has
to be secure. we want a system from which we can easily install a
compromised system. so i had a few ideas to make it as secure and yet as
usable as possible:

install a compromised system?  This is a forensics box?  then perhaps to
really kppe it secured it should be un-networked, at least when analysis
is beong one.  I'm taking it as a forensics box, you plan on popping in a
DD'ed copy of the drive of the host that was in fact compromised for

Ten again, perhaps I'm either mis reading your intentions for the system,
or you mis-stated your desires?


Ron DuFresne

- use debian testing (stable is too old, unstable is ... well... you
know ;))

As testing doesn't get security updates (at least, it's not guaranteed),
IMHO it's a bad point to start with.

- /var and /tmp mounted nosuid and noexec

How about /home? and how about nodev? (dunno if Linux has nodev)

- grsec kernel
- use lvm (so you don't need to worry about the sizes af the partitions)

- remote logging to our logging server

- all this in hardware raid 1 for easy transfer to other systems
- iptables with all connections refused (you need physical access to do
- maybe allow ssh (no root logins)?

==> is this ok, too paranoia or is there somenting i'm missing, and
cound it be even more safe?

It could be more safe definitely. How about OpenBSD? (ye ye i'm
biased ;), but there are more security oriented solutions around)

how about a compiler? normally, all soft on it is compiled by hand, but
it is also "necessary" for a local exploit.

If you don't install a compiler, make sure users can't upload
precompiled compilers :)

any ideas? remarks?

It all depends on what you want to do with the system (webserver?
desktop pc's?)

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]