Mon, 06 Feb 2006
Patching for Custom Config File Locations
While
discussing the FIA via SSH article, one of my comments got some
feedback; the comment was sudos config potentially giving the game away.
A number of people suggested the same solution, patch where the source
looks for the config file and compile it yourself. The idea is that you
put a fake config file in the usual place, patch the source to use a
different location and then compile the application. When it runs it
leaves the fake config alone, uses the custom location you added and the
attacker is none the wiser.
This isn't difficult to do. For example a number of honeypot articles recommend patching syslog so the attacker doesn't see a "log to remote host" config setting. Technically this works just fine. But that's not where you pay the price...
Doing something like this is a small security win but a huge usability loss. Firstly, every time you want to upgrade the binaries you need to patch, compile and occasionally even package them. After you've done this step you need to find a way of incorporating their distribution with the rest of your software. Lastly you have the enjoyment of having a sysadmin spend half an hour changing settings, restarting the command/daemon and NOTHING HAPPENS! Why? Because they changed the default config file. Which is a fake... You'll do this once and then swear off the technique for anything except a one man research box that you don't want to keep current.
Like this post? - Digg Me! | Add to del.icio.us! | reddit this!
Posted: 2006/02/06 23:33 | /security | Permanent link to this entry | This entry and same date
Copyright © 2000-2010 Dean Wilson
