lattera

Members
  • Content count

    514
  • Joined

  • Last visited

  • Days Won

    8

Everything posted by lattera

  1. I'm trying to port Pharos to Linux, and I'm curious as to how... In FreeBSD, I use IPDIVERT sockets. IPDIVERT sockets divert traffic based on a firewall rule to a program that has registered itself as a divert socket program. Here's what the IPDIVERT socket program would call: #define PORT 6137 int sockfd; struct sockaddr_in server; if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_DIVERT)) < 0) { perror("socket"); exit(1); } server.sin_family = PF_INET; server.sin_port = htons(PORT); server.sin_addr.s_addr = INADDR_ANY; if (bind(sockfd, (struct sockaddr *)&server, sizeof(server)) < 0) { perror("bind"); exit(1); } The kernel then sends all designated traffic to that socket (sockfd) based on a firewall rule: ipfw add divert 6137 tcp from any to any via rl0 That command will send all tcp packets received from anyone to anyone (probably me, unless this is a hubbed (not switched) network) to my socket. I can then manipulate the packet, and/or let it arrive at it's final destination. IPDIVERT sockets is a lot like pcap sockets, except I don't receive a _copy_ of the packet, I receive the _original_ packet. Anyways, is there a way of doing this in Linux? I know of Netfilter hooks, but that's done in the kernel-space, and I'd like to try to stay away from kernel-space. Is there a viable way to create an IPDIVERT-like system in linux? If so, how hard would it be, and would anyone like to help? If you guys would like an example of IPDIVERT sockets, look at: http://securi-labs.ath.cx:7002/cgi-bin/cvs...x-cvsweb-markup
  2. That's not really what I'm looking for. It's similar, but not exactly what I need. http://sourceforge.net/projects/ipdivert <<-- that's quite a bit closer to what I want It'd be cool if that ipdivert code could be done in an LKM
  3. If we had more computers, and a network that was stable enough, then I'd say "go ahead, do what you want." However, that's not the case. The FreeBSD box is a production server. I just can't allow any mess-ups.
  4. The thing is, though, is that this is a production environment. It's the CVS home for one of my projects (that IPS that's securing the network). If someone tries something, tell me beforehand, and I'll set up a special environment for the user. Once the user's trick is accomplished (if even possible), I'll remove the environment, and they can go back to their normal chroot()ed shell. Oh, but it is right. I warned them. Look at the list of consequences. Three strikes and you're out. (well, two strikes really). I just want a strict environment where people can code all they want, and basically have a _little_ bit of freedom. You still have IRC, FTP, HTTP, and CVS access...
  5. As admin of the FreeBSD box, here's a quick rundown of the rules: 1. You cannot engange in script-kiddie activity 2. You cannot try to gain unauthorized access to _any_ computer, whether within or ourside of our networks 3. You cannot try to explore our networks 4. You cannot abuse your services (abuse will be decided upon if questions/suspicions come up) 5. You cannot try to disable services 6. You cannot try to break chroot 7. The rules may change without contact, it will be upto the user to keep current on the rules. Even though the user may not know of a rule, the rule still applies. Possible consequences: (NOTE: consequences are not set in stone, they may vary case-by-case) First offence: warning. Your account is added to a blacklist and all your actions logged. Second offence: Your account is disabled Third offence: your subnet is banned About the FreeBSD box: You will be in a chroot()ed environment. You will have full compiler (GNU tools such as gcc, g++, and others) access. You will be allowed limited network access. TCP ports that will be allowed outgoing: 21, 80, 6667, 2401 TCP ports that will be allowed incoming: none (unless specificaly requested and if the port is available and other circumstances) UDP ports outgoing: none UDP ports incoming: none All other protocols will be disallowed We are running an IPS on the FreeBSD box. For information about the IPS, go to http://lattera.nosleep.info/pharos/index.php. The IPS will catch all traffic on all connections, whether loopback or ethernet. Occaisionaly, the FreeBSD system may go down. Don't fret, it will get fixed within either a couple minutes or hours. Worst case would be the next day. (yes, I'm _very_ paranoid about security, just because there really is no such thing as security anymore...)
  6. Shut up, White Raven.