Search

Subscribe

Enter your email address below to subscribe to our privacy and security newsletter.



Name:
Email:

Menu

• Home
• Business/Corporate
• Computer Security
• Digital Signatures
• Encryption
• Firewalls
• Intrusion Detection
• Just Plain Silly
• Personal Security
• Privacy
• Residential Security
• Security Blogs
• Security Consultants
• Spam/Anti-Spam
• Training
• Uncategorized
• Viruses
• Wireless Security

Excellent Security Tip With A Twist

By Ian Scott

I’m not sure who to credit this to exactly, but I discovered this tip on the Hsphere Control Panel message board. The person who posted the tip goes by the nickname of “WebDude.”

It was one of those, “Why didn’t I think of that?!?” moments when I read this tip, involving the command ‘chattr’ that comes with Linux.

What chattr does is change the attributes of a file or even a complete file system. One of the attributes is called “immutable” and is set with the +i flag.

I’ve often used chattr myself when root or super user on a server, but of course, anyone else who has root access can remove the immutable attribute by simply typing the chattr command with the -i flag.

So what exactly does immutable mean, anyhow? Well straight from the chattr man file:

A file with the ‘i’ attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file.

Well, that’s pretty good protection for your very important system files and libraries! But what if someone cracker gets root access? We do spend lots of time trying to prevent this from happening, but we can never guarantee that it won’t. And once the cracker has root access, all they have to do is remove that immutable attribute and can then overwrite binaries with trojaned or modified versions.

So here’s the twist. Rename chattr to something else! Something ordinary, something that no one else knows, and then create a hundred other more fake commands in /usr/bin. Then, set the immutable flag on entire directories including /bin, /usr, /lib, and /sbin.

Now, if someone DOES happen to get root access to your system, they are going to waste a lot of time trying to install modified trojaned versions of your important binaries. They’ll likely give up pretty quick and go on to the next system. Cool, huh?

Obviously, there is a chance that someone will have lots of time on their hand and try out ever command in /usr/bin, but it’s doubtful. But remember, this is not something you can put all your trust in, but it sure is a handy tool in your arsenal!

Of course when installing updated packages you will have to remove the immutable attribute on the directories before you do.

Read more in: Computer Security |

© SecPriv.com | About/Disclaimer | Privacy Policy