Ok, here's the scoop, without the relative obscurity of the previous
posting - actual details this time. :)
The project I'm throwing myself bodily into is a bit experimental...
it's going to sound really bad from the start, but it's worthy, I tell
you! Worthy!
Have any of you played in "Happy Hacker" or a similar site? Basically,
machines put on the net specifically to be hacked. I thought that this
was a super-cool idea, until I discovered that "Happy Hacker" is
comprised of a Cisco router, an <x>BSD box, and a Linux box.
Yay.
So, what they're saying is along the lines of "Look, we've got EXACTLY
what you can have at home for free! Look at us! Yay! We're special!"
etc, etc. It mildly offended me, to be perfectly honest. I read the
media hype and got set for a massive network to play in.
I'm a unix consultant by trade, and a bit of a collecter. Between
three roommates, there's almost 30 computers in the house - and I tend
to lean towards the esoteric systems. In my work, I'm often in server
rooms, and once admins find out I'm an old computer fanatic, they
sometimes offer me old gear.
Unfortunately, I gave away my AS/400, but I'm still left with a
SPARCstation 330 running 2.5, an IBM RS/6000 model 250 running AIX 4.3.2
(with trusted computing base), and have been given (haven't yet picked
up) an SGI Indigo and AlphaServer 3000. These, of course, will be
installed with the latest releases of Irix and "Tru64" respectively.
There's also a 20G optical jukebox in the basement to be attached to one
of these.
Basically, the premise is that if you want to play with these operating
systems, you've pretty much either got to get a job playing with them,
or break the law. I don't like this - it's UNIX, the knowledge should
be shared.
So the setup has to be one in which the outside walls are strong and
thick, but once inside, there are no walls except those which you choose
to build. If you can gain root on the AIX machine, great! Setup a
usenet server (have you ever wanted to try that in AIX?) and link news
between the servers. Since NONE of the machines have access to the
outside world, and the world can't get to them without going through the
gateway, it has to be STRONG - otherwise, I'm just giving away shells to
whoever wants them.
What I'm HOPING for is a tiny online community of Unix hackers and
geeks working together to build a chaotic network of services - if you
want to run a MUD on a system, go to town. IRC? Build it. Just want
to hack? Go to - nobody's going to arrest you for it. Be gentle, if
you gain root and rm -rf, you're destroying a lot of people's work... I
realize that there WILL be jerks, but I'm hoping that there'll be some
respect between users. If you hack root, add yourself a user with UID
and GID 0 and use it instead - otherwise, every machine has a guest
account.
So my target audience is Unix freaks - for the first little while (a
month or two of setup), it will only be a few users testing EVERYTHING
-- but after it is working to my satisfaction, there will be a Slashdot
announcement for it. At this point, I no longer will have any real idea
who my users are.
Having the gateway spawn a single 'telnet' session from an ssh login is
a good idea, but probably not the best one. I did consider an OTP
scheme, but it's difficult to use it in the way I want to - considered
something along the lines of "You get ONE password. Use it once, add a
user, no more passwords ( <- this is the hard part. ) After you've been
here a while, and proved to be beneficial for the network, you get three
more passwords, to give to people that YOU feel would be beneficial.
SSH on all of the systems is an idea - but it takes away from the
initial fun. If someone wants to compile a sniffer on there, go to -
but you're going to have to use kermit or similar to get the source onto
the machine... no ftp out, etc. :)
As far as I can see, the best way to do this is with a low-end pentium
system running NetBSD gatewaying the network - ONLY ssh open, with a
'network' account. This account spawns 'telnet' as it's shell, on the
internal network. This is your access to the network; telnet only -
perhaps there's a better way, but I (eventually) expect several thousand
users - even if some are only one-time users. I think there's enough
advanced Linux geeks who are just itching to play with different flavors
of Unix.
Any ideas on this are welcome - keep in mind that it won't be RIGHT
away. I've still got to lug home and make boot an Alphaserver. ;) Once
it's up, it'll be a playground for all interested.
Cheers,
- Drew.
Ryan Russell wrote:
>
> > Apologies for a slightly off-topic question - it does have to do with
> >security, though not (directly) firewalls.
>
> Not that off-topic I think. You've designed a firewall.. and maybe a VPN. :)
>
> > I'm busily setting up a small network that will use non-routable IP's -
> >probably five boxes behind a gateway with a real IP. None of the
> >machines will be able to see the internet, ever - and the internet can't
> >be able to see any of them, either - at least not directly.
>
> No internet access for the inside machines, ok.
>
> > The problem I'm facing is how to allow telnet access THROUGH the
> >gateway to the internal machines, with the absolute MAXIMUM security
> >possible. What I've decided to do is lock down the gateway machine
> >ENTIRELY, no outgoing connections, and only incoming ssh connections
> >accepted. From there, the user's shell will be set to /usr/bin/telnet,
> >with the only possible connections being the machines on the internal
> >network. I've tested this VERY briefly - it works, and even displays
> >the motd; so users will know the names of the machines to telnet to.
>
> Did you audit the gateway from the outside? Is there a reason to not
> use SSH internally, too?
>
> > Security is so incredibly crucial in this project - I can't express
> >it. Am I missing something large or small here?
>
> The threat model. How trustworthy your authorized users are. How secure
> the machines are that are coming in via SSH from the Internet.
>
> >If someone were to
> >gain access to the gateway box (the only user to have a non-telnet shell
> >will be root, and then only from an attached dumb terminal) the project
> >would probably be comprimised past saving. After the user is inside,
> >packet sniffing becomes less of an issue - but it should be as near to
> >impenetrable from the outside as possible.
>
> > The issue I have is that, while I use it daily, I really don't have
> >thorough knowledge of the 'telnet' program itself. There's a load of
> >things it can do! Am I risking anything doing this? Are there any
> >common exploits that allow someone at a "telnet>" prompt to read or
> >write files, etc? I'm not so worried about spawning a shell, as that
> >SHOULD be only spawning the user's default shell, which is
> >/usr/bin/telnet. :)
>
> Are you saying you don't trust the users you've given SSH access
> to? If so, there's a massive problem.
>
> What OS is this, and which telnet client, and we can answer better. My
> Solaris 2.5.1 telnet client, which I believe is just the one that came with the
> OS,
> includes a ! command which drops me straight to a shell. Don't know if
> that changes if telnet is my parent shell.
>
> Telnet can be used to map ports on the inside machines. This probably not a
> concern
> since they've got legitimate access to at least one inside machine.. it would be
> easier to do it from that one. I also assume that inside machines attacking the
> gateway
> wouldn't be a concern, if it's good enough to stand up to the Internet.
>
> Pay particular attention to the machines that come in via SSH. Those are going
> to
> be the easiest place to break in if you've locked down the gateway really well.
>
> Ryan
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
