Hacking ha.ckers.org

Download Report

Transcript Hacking ha.ckers.org 

Why ha.ckers.org
doesn’t get hacked
Who we are.
•
•
•
•
•
James Flom (id)
COO SecTheory Ltd
http://ha.ckers.org/
http://sla.ckers.org/
http://www.sectheory.com/
Just a little faith…
• Date: May 31, 2007 09:34AM
I know we will get hacked one day - it's a certainty. It's
something I've come to terms with well before I even had
a blog. You can't go through life fearing the inevitable. At
the same time I do all I can to protect the site, given what
it needs to do. There are a few holes in the site that I
know of that would limit my own ability to function. I've
been hardening those more as time goes on, but
ultimately, it will take time (that I don't have) to make it
iron clad.
- RSnake
In the beginning…
RSnake: “Hey id, you’ve got a server, want to host this
ha.ckers.org site for me?”
Uh, sure…
Stories!
•
•
•
•
•
Imagecrash (343k)
Drive from SB to SF
First Slashdot
First Reddit
ISP shutdown (2x)
/.
ha.ckers get’s a new home in
Pleasonton, CA
Hanging on a shelf in a 90⁰ garage…
ha.ckers get’s a new home in TX
The ClickForensics telco closet of doom
No pics, sorry 
ha.ckers get’s a 2nd new home in TX
•
•
•
•
•
Heat issues part 1
Stupid string/handle
Power bill not paid
Leaf Blower of Doom
A little bit of B&E
ha.ckers gets a 3rd new home in TX
•
•
•
•
Heat issues part 2…
Free AV!
Slowloris/DoS
Tile saw of doom
ha.ckers gets a 4th new home in TX
Don’t bump picture
Idiots Abound…
I AM FURIOUS!!!!!!!!! One of your associates,
ha.ckers.org has given me a virus. When ever i click on a
link a box pops up saying a bunch of jibber jab but it
does say: Host: Ha.ckers.org. Unless you and ha.ckers.org
do not want to be sued you better figure out a way to
get the virus you guys created off my computer
pronto!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
- Melissa Shaw
The Network
Network Features
• Firewall PF (OpenBSD)
– Redirects traffic similar to a Cisco “static”
translation
– No egress traffic allowed from DMZ
– Out interface ACL philosophy
– DoS protection
• Floods
• Slowloris style attacks
– Network separation
• Admin traffic never traverses the DMZ network.
Who are you?
• Do you have a permitted source IP to connect to the
firewall?
• Do you have the correct cert?
• Do you have a user/pass (SSH)
• Do you have a permitted source IP to connect to the
administrative proxy?
• Do you have the right URL path?
• Do you have a user/pass for .htaccess?
• Do you have authentication to the application?
• Will the browser allow the connection (Robert’s
Preso)?
I don’t trust you
Going to jail
OS Security
• Can only access the administrative interfaces
via secure admin network/bastion host
• Jails are mounted read only – even if
compromised they cannot be rootkitted
• Only have to upgrade the Base Jail
• No real users live in the jails – files owned by
no known user to the jailed OS
• No binaries not needed by the jails are in the
Base Jail
Logging
• Everything that can log does log
• All logs are aggregated to log host that is not
reachable by any DMZ host
• OSSEC used to aggregate and monitor logs
with custom rules
• Logs are off the host and onto the log host as
they are generated
• Forensics are done every day
New Generation Network
• Switched to relayd
– OpenBSD implementation
– SSL acceleration so packets can be read on the
egress
• Each virtual interface gets it’s own network
stack and firewall ruleset
Next Generation OS
• Completely read only jails
• Unique Base Jails for each type of server
• Logging via UNIX socket to parent OS –
nothing touches the disk
• Further improvements in removing unneeded
software
• Each jail has it’s own network stack and on
host firewall
ha.ckers gets a 5th new home in TX
Questions?
[email protected]
[email protected]