anonymous-unix.html 35 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101
  1. <HTML>
  2. <HEAD>
  3. <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
  4. <TITLE>Anonymous Unix Systems</TITLE>
  5. </HEAD>
  6. <BODY BGCOLOR="#FFFFFF">
  7. <center>
  8. <h1>
  9. ---[ Anonymizing UNIX Systems ]---
  10. <br>
  11. version 0.9
  12. </h1>
  13. <br><br>
  14. <table border=3 cellpadding=7 cellspacing=3>
  15. <tr><td>Author: <I><a href="mailto:vh@reptile.rug.ac.be">van Hauser</a> /
  16. THC</I><br>
  17. </td></tr>
  18. </table>
  19. </center>
  20. <br><br><br><br>
  21. <ul>
  22. I. <A HREF="#1">THE AUDIENCE</A><ul></ul><br>
  23. II. <A HREF="#2">GOAL</A><ul></ul><br>
  24. III. <A HREF="#3">PREREQUISITES</A><ul></ul><br>
  25. IV. <A HREF="#4">USER DATA</A><br>
  26. <ul> 1. <A HREF="#41">Sensitive user data</A><br>
  27. 2. <A HREF="#42">Protecting /home directories</A><br>
  28. 3. <A HREF="#43">Traceable user activity</A><br>
  29. 4. <A HREF="#44">Protecting /var/spool/mail/user files</A></ul><br>
  30. V. <A HREF="#5">SYSTEM DATA</A><br>
  31. <ul> 1. <A HREF="#51">Sensitive system data</A><br>
  32. 2. <A HREF="#52">Traceable system activity</A><br>
  33. 3. <A HREF="#53">Logging - important and dangerous</A><br>
  34. 4. <A HREF="#54">Protecting system configs</A><br>
  35. 5. <A HREF="#55">Computer Memory and sensitive /proc interfaces</A></ul><br>
  36. VI. <A HREF="#6">DELETE(D) DATA AND SWAP</A><br>
  37. <ul> 1. <A HREF="#61">How to delete files in a secure way</A><br>
  38. 2. <A HREF="#62">How to wipe free disk space</A><br>
  39. 3. <A HREF="#63">How to handle swap data</A><br>
  40. 4. <A HREF="#64">How to handle RAM</A><br>
  41. 5. <A HREF="#65">Temporary data - it is evil</A></ul><br>
  42. VII. <A HREF="#7">NETWORK CONNECTIONS</A><ul></ul><br>
  43. VIII. <A HREF="#8">HIDING PRIVACY SETTINGS</A><br>
  44. <ul> 1. <A HREF="#81">Mount is your friend</A><br>
  45. 2. <A HREF="#82">Removable Medias</A><br>
  46. 3. <A HREF="#83">???</A></ul><br>
  47. IX. <A HREF="#9">EXAMPLE CONFIGURATION AND SCRIPTS</A><br>
  48. X. <A HREF="#10">FINAL COMMENTS</A><br>
  49. <ul> 1. <A HREF="#101">Where to get the tools mentioned in this text</A><br>
  50. 2. <A HREF="#102">Additional thoughts</A><br>
  51. 3. <A HREF="#103">Greetings (what would the world be without greets?)</A><br>
  52. 4. <A HREF="#104">How to contact me for updates or comments</A></ul><br>
  53. </ul>
  54. <br><br>
  55. <center>
  56. --------------------
  57. </center><br><br><br><br>
  58. <A NAME="1"></A>
  59. <bold>* I. THE AUDIENCE</bold>
  60. <br>
  61. <br>
  62. This text is for any human being out there who wishes to keep their data and
  63. doings private from any snooping eye - monitoring network traffic and
  64. stealing/accessing the computer including electronic forensics.
  65. Hackers, phreakers, criminals, members of democracy parties in totalitarian
  66. states, human rights workers, and people with high profiles might be
  67. interested in this information.
  68. It was especially written for novice hackers so they are not so easily
  69. convicted when busted for their early curiosity.
  70. <br>
  71. <br>
  72. Thanks to Solar Designer, Fyodor, typo, tick, pragmatic, mixter and
  73. doc holiday for comments, critics and ideas.
  74. <br>
  75. Special thanks to rookie who had the original idea writing this paper
  76. but through personal problems couldn't do it himself.
  77. <br>
  78. <br>
  79. <br>
  80. <br>
  81. <A NAME="2"></A>
  82. <bold>* II. GOAL</bold>
  83. <br>
  84. <br>
  85. Our goal is to provide solutions to the following statements:
  86. <br>
  87. <br>
  88. <ul>
  89. (1) The solution should be simple and easy<br>
  90. (2) All user data should be inaccessible by anyone except their owner<br>
  91. (3) Nobody should be able to reconstruct what is happening on the system<br>
  92. </ul>
  93. Maybe you see contradictions ;-)
  94. <br>
  95. <br>
  96. <br>
  97. <br>
  98. <A NAME="3"></A>
  99. <bold>* III. PREREQUISITES</bold>
  100. <br>
  101. <br>
  102. It is important to state the prerequisites for this project:
  103. <br>
  104. <ul>
  105. - The system should be secure. No remote vulnerabilities (and hopefully
  106. no local ones either)<br>
  107. - The system administator(s) must be trusted and willing to set this up<br>
  108. - The operating system to achieve this is a UNIX<br>
  109. </ul>
  110. Note that the solutions presented do not 100% fit internet servers.
  111. <br>
  112. However it's (nearly, bah ;-) perfect for enduser systems.
  113. <br>
  114. <br>
  115. For the UNIX part, we show the solutions for Linux because it is the unix
  116. most easily for beginners to get their hands on and administrate.
  117. <br>
  118. The Linux distribution we use is the SuSE Linux Distribution 6.0
  119. <br>
  120. Debian is better but more complicated for beginners. And I dislike
  121. redhat for it's missing security.
  122. <br>
  123. You should know enough about unix (what is portmap, mount, rc2.d etc.)
  124. before trying to understand this text. It's *not* a Linux-Howto!
  125. <br>
  126. <br>
  127. <br>
  128. <br>
  129. <A NAME="4"></A>
  130. <bold>* IV. USER DATA</bold>
  131. <br>
  132. <A NAME="41"></A>
  133. <bold>*** 1. Sensitive user data</bold>
  134. <br>
  135. <br>
  136. What is sensitive user data? Well *any* data from a user account.
  137. This includes:
  138. <ul>
  139. - utmp/wtmp/lastlog data (login times and duration plus login hosts)<br>
  140. - history files (what commands you typed in your session)<br>
  141. - your emails<br>
  142. - temporary files from applications like mailers, browsers etc.<br>
  143. - applications and their configuration<br>
  144. - your own data (documents, porn pics, confidental data)<br>
  145. - time stamps on your data (when were you accessing/editing which data)<br>
  146. - on multiuser systems: what users CURRENTLY are doing.. this includes
  147. process listing, and network connections as well as utmp (which is
  148. already covered by another category). -&gt; make proc more restrictive.<br>
  149. </ul>
  150. <br>
  151. We are trying to protect all this data.
  152. <br>
  153. Note that utmp/wtmp/lastlog data and mail (mqueue/mail/fax/lpd) is handled
  154. in the SYSTEM DATA section.
  155. <br>
  156. Note that all user accounts can be seen from /etc/passwd ;-) So maybe you'd
  157. like to add some/many fake accounts, together with homedirs and crypted
  158. data ...
  159. <br>
  160. <br>
  161. <br>
  162. <A NAME="42"></A>
  163. <bold>*** 2. Protecting /home directories</bold>
  164. <br>
  165. <br>
  166. Most important for protecting user data is protecting the users' /home
  167. directories.
  168. <br>
  169. Each home directory must be encrypted with a strong cypher so that even
  170. with full physical access to the system the data can't be obtained.
  171. Currently I know of only one software provididing a solution to our
  172. requirements: CFS - the cryptographic filesystem.
  173. <br>
  174. <br>
  175. There are also some other crypto solutions available : TCFS, SFS and the
  176. loop filesystem with crypt support. They are faster but have got the
  177. disadvantage that you'll have to recompile your kernel with patches from
  178. these tools. So for the sake of easeness, I stick with CFS here.
  179. (Pointers to all tools mentioned in this text can be found at the end)
  180. <br>
  181. <br>
  182. To enable CFS we must put these six lines in a rc2.d script:
  183. <pre> portmap
  184. rpc.mountd -P 894 # mountd should bind to port 894
  185. cfsd 895 # cfsd should bind to port 895
  186. rm -rf /tmp/.tmp
  187. mkdir -p -m 700 /tmp/.tmp
  188. mount -o port=895,intr localhost:/tmp/.tmp /home
  189. </pre>
  190. Additionaly we have to put this entry into /etc/exports:
  191. <pre> /tmp/.tmp localhost
  192. </pre>
  193. <br>
  194. <br>
  195. Okay. This starts the sunrpc with the mountdaemon which are necessary
  196. for CFS to be started and used.
  197. <br>
  198. Now we need to get the following going: if a user logs on, the system
  199. has to check if he's already logged in to decide whether to decrypt the users'
  200. home directory. This sounds hard but is easy: the user's /home/user
  201. directory doesn't exist (even if it would, because of mount command nine
  202. lines above would make it nonexistent), so the user's HOME variable is
  203. set to '/' the root directory. Then his login shell is started which
  204. looks for it's start scripts. And that's were we put our hooks in.
  205. <br>
  206. We create (this example is for bash) the file /.profile with the following
  207. contents:
  208. <pre> cattach /crypt/$USER $USER || exit 0
  209. export HOME=/home/$USER
  210. cd $HOME
  211. if test -f $HOME/.profile; then
  212. . $HOME/.profile
  213. fi
  214. </pre>
  215. <br>
  216. When a user logs on the first time, this script will be executed. The user
  217. has to enter the password for his crypted homedir, and after this his
  218. correct HOME variable is set and the normal login profile is read and done.
  219. If a user doesn't know the passphrase for his crypted homedir, he is logged
  220. out.
  221. <br>
  222. <br>
  223. But how do we remove the decrypted homedir after the user logs out? This
  224. script should be clever, because a user could be logged in several times at
  225. once, and it should only be removed when the last loginshell exits.
  226. <br>
  227. Thank god, this is easy too, we create a /home/user/.bash_logout script:
  228. <pre> # if the number of user's login shells are &gt; 3 then this is the last.
  229. shells=`ps xu | grep -- "$USER .* S .* -[^ ]*sh" | wc -l`
  230. test $shells -lt 3 || exit 0
  231. export HOME=/
  232. cd /
  233. cdetach $USER
  234. </pre>
  235. <br>
  236. Thats all. From now on, the users' homedirectories are safe.
  237. <br>
  238. <br>
  239. Note that a user can't login now, start a background job which writes data
  240. in his homedirectory and log out because his homedirectory would be removed.
  241. The full .bash_logout script I provide in (see two lines below) checks for
  242. a $HOME/.keep file and if present doesn't remove the homedir.
  243. <br>
  244. <br>
  245. For network logins you should keep in mind that they should not be done via
  246. rlogin, telnet, etc. because they send all traffic (including passwords) in
  247. plaintext over the network. You should use a tool which encrypts the whole
  248. traffic like SSLtelnet or SSH (for SSH you need to set "UseLogin yes" in
  249. the /etc/sshd_config file).
  250. <br>
  251. <br>
  252. You'll find all these scripts with error checking, user creating, stop
  253. scripts and config files etc. in section IX. EXAMPLE CONFIGURATION
  254. <br>
  255. <br>
  256. Note that we started daemons in the section which can be contacted from
  257. remote. If you don't want this (because there are no external users who
  258. need to mount their crypted user data on their own machine) you should
  259. firewall these ports. Look in you manpages ("man ipchains" or "man ipfwadm").
  260. <br>
  261. <br>
  262. <br>
  263. <A NAME="43"></A>
  264. <bold>*** 3. Traceable user activity</bold>
  265. <br>
  266. <br>
  267. [Warning, this section shows first how to perform simple electronic forensics]
  268. <br>
  269. It is easy to see who logged on the system and what he did by the
  270. timestamps. Even if all your data is crypted, by checking the last access
  271. time (atime) of your files, someone may check when you logged in last time,
  272. for what duration and if you were idleing or doing much stuff.
  273. <br>
  274. If the systems doesn't have many users, someone might even tell what you
  275. did.
  276. <br>
  277. <br>
  278. Example: The earliest access time for a crypted file in your homedir
  279. can be seen by:
  280. <pre>
  281. ls -altur /crypt/$USER | head -1 # shows the logout file
  282. ls -altu /crypt/$USER | more # with some brain you'll find
  283. # the login time
  284. </pre>
  285. <br>
  286. then you also have the duration of the session.
  287. <br>
  288. By checking the change/modification and access time of those crypted files
  289. with their timestamps someone can see how hard you were working, and get
  290. more conclusions (e.g. if many files nested in a three levels deep
  291. directory where modified this is probably a browser - so you were surfing
  292. the net).
  293. <br>
  294. <br>
  295. This insight will now make it possible to check what commands were run:
  296. <br>
  297. Let's say the login time as 22 hours ago, so you run:
  298. <pre>
  299. find / -type f -atime 0 -ls # shows the accessed files
  300. find / -type f -mtime 0 -ls # shows the modified files
  301. </pre>
  302. <br>
  303. (this can be done with directories too)
  304. <br>
  305. <br>
  306. Now check the output for the correct timeframe and analyze what you found.
  307. e.g. the telnet client was accessed. So it's probable, the user used it
  308. to connect to another system. I think you can imagine now what is possible.
  309. <br>
  310. <br>
  311. To protect against this is also very easy:
  312. <br>
  313. Create the file /usr/local/bin/touch_them and make it executable with
  314. the following contents:
  315. <pre>
  316. find /crypt /tmp /etc /var/spool 2&gt; /dev/null | xargs -n 250 touch
  317. </pre>
  318. <br>
  319. Then put the following line into /etc/crontab:
  320. <pre>
  321. 50 * * * * root /usr/local/bin/touch_them
  322. </pre>
  323. <br>
  324. finally you change the 4th row of all lines in /etc/fstab which have the
  325. keyword "ext2" in their third (the filesystem type) row:
  326. <pre> defaults (or anything else)
  327. </pre>
  328. should become
  329. <pre> defaults,noatime (the old value is kept, and noatime is appended)
  330. </pre>
  331. <br>
  332. example:
  333. <pre> /dev/hda1 / ext2 defaults 1 1
  334. </pre>
  335. becomes
  336. <pre> /dev/hda1 / ext2 defaults,noatime 1 1
  337. </pre>
  338. <br>
  339. What did we achieve? The crontab entry with the small script updates the
  340. atime, mtime and ctime to the current time every hour of special
  341. directories - especially those which may hold user data.
  342. <br>
  343. The mount options we changed now prevent the update of the atime.
  344. However, this needs a current 2.2.x kernel - it isn't implemented on the
  345. 2.0 kernel tree!
  346. <br>
  347. <br>
  348. <br>
  349. <A NAME="44"></A>
  350. <bold>*** 4. Protecting /var/spool/* files</bold>
  351. <br>
  352. <br>
  353. /var/spool/mail :
  354. <br>
  355. Now it gets tricky. How can we protect the new mail for a user from
  356. spying eyes? It can't be sent directly to a user's homedir like qmail would
  357. do because it's crypted. The easiest solution is to use pgp to encrypt
  358. your outgoing emails and tell all your friends that they should also encrypt
  359. all emails to you.
  360. <br>
  361. <br>
  362. However, this is not satisfying. An attacker can still see who sent the user
  363. the email. The only possibility to hide this is using anonymous remailer.
  364. This is not a great solution, so this is an open point (see section <a
  365. href="#102">X.2</a>:
  366. Additional thoughts)
  367. <br>
  368. <br>
  369. /var/spool/{mqueue|fax|lpd} :
  370. <br>
  371. Well, all you can do is try to flush the queues when shutting down.
  372. <br>
  373. After that you have to decide if you delete the remaining files in a
  374. secure way or leave it where it is. Or program a special script which does
  375. something with the data (like taring the data and encrypting it with pgp,
  376. doing the reverse when the system is rebooted)
  377. <br>
  378. <br>
  379. You can also create a whole crypted /var partition, but that would require
  380. someone at the console while booting the system - every time.
  381. <br>
  382. <br>
  383. <br>
  384. <br>
  385. <A NAME="5"></A>
  386. <bold>* V. SYSTEM DATA</bold>
  387. <br>
  388. <A NAME="51"></A>
  389. <bold>*** 1. Sensitive system data</bold>
  390. <br>
  391. <br>
  392. What is sensitive system data? *Anything* which gives conclusion on incoming
  393. and outgoing data, configuration files, logs, reboots and shutdowns.
  394. <br>
  395. <br>
  396. This includes:
  397. <ul>
  398. - utmp/wtmp/lastlog data (boot, reboot, shutdown times + user times)<br>
  399. - ppp dialup script<br>
  400. - sendmail and tcp wrapper configurations<br>
  401. - proxy cache data (e.g. squid web/ftp proxy)<br>
  402. - syslog messages<br>
  403. - /var/spool/* data {mqueue|fax|lpd|mail}<br>
  404. - temporary files from daemons<br>
  405. - time stamps on data (when were what data accessed/edited)<br>
  406. </ul>
  407. <br>
  408. How to prevent time stamp forensica, see section <a href="43">IV.3</a>
  409. <br>
  410. How to protect /var/spool/* data, see section <a href="44">IV.4</a> for an incomplete
  411. solution.
  412. <br>
  413. <br>
  414. <A NAME="52"></A>
  415. <bold>*** 2. Traceable system activity</bold>
  416. <br>
  417. <br>
  418. (prevent of time stamp forensic is handled in section <a href="43">IV.3</a>)
  419. To trace system activity, you can easily check temporary files
  420. of daemons and applications. Some of them write to /tmp, root
  421. applications usually (should) write to /var/run.
  422. We handle this together with section <a href="53">V.3</a>: Logging.
  423. All you have to do is this, and only *once* :
  424. <pre> cd /var
  425. mv run log
  426. ln -s log/run run
  427. </pre>
  428. <br>
  429. this moves the /var/run directory to /var/log/run and sets a symlink in it's
  430. former place so that applications still find their files.
  431. <br>
  432. <br>
  433. <A NAME="53"></A>
  434. <bold>*** 3. Logging - important and dangerous</bold>
  435. <br>
  436. <br>
  437. Logging is important to trace problems like misconfigurations.
  438. <br>
  439. Logging is dangerous because an attacker can see important data in
  440. the logfiles, like the user's login and logout time, if they executed
  441. "su" or other commands etc.
  442. <br>
  443. We try to find a balance between this.
  444. <br>
  445. Our solution: Write all log data to one special directory.
  446. <br>
  447. This directory is a RAM disk so the data is lost after a system shutdown.
  448. Ensure that syslogd [/etc/syslog.conf] and daemons (e.g. httpd [apache])
  449. only write to our special logging directory or a system console.
  450. /var/log should be used as our special logging directory.
  451. <br>
  452. <br>
  453. <br>
  454. Now we put the following commands into /sbin/init.d/boot.local:
  455. <pre> umask 027
  456. mke2fs -m0 /dev/ram0 1&gt; /dev/null 2&gt;&1
  457. rm -rf /var/log/* 2&gt; /dev/null
  458. mount -t ext2 /dev/ram0 /var/log
  459. chmod 751 /var/log
  460. cd /var/log
  461. mkdir -m 775 run
  462. chgrp uucp run
  463. for i in `grep /var/log /etc/syslog.conf|grep -v '^#'| \
  464. awk '{print $2}'|sed 's/^-//'`
  465. do &gt; $i ; done
  466. umask 007 # 002 might be used too.
  467. for i in run/utmp wtmp lastlog
  468. do &gt; $i ; chgrp tty $i ; done
  469. cd /
  470. kill -HUP `pidof syslogd` 2&gt; /dev/null
  471. </pre>
  472. After your next reboot it behaves like described above.
  473. <br>
  474. <br>
  475. Some of you will not like the idea of having no logs after a reboot.
  476. This way you can't trace an intruder or guess from your logs what
  477. crashed the machine. Either you can tar the files and pgp before
  478. the shutdown is complete (but the data would be lost if a crash occurs),
  479. or you might also use ssyslog or syslog-ng, special syslogs with crypting
  480. capabilities, and write the data you really want to keep to (just an example)
  481. /var/slog.
  482. <br>
  483. <br>
  484. You can also create a whole crypted /var partition, but that would require
  485. someone at the console while booting the system - every time.
  486. <br>
  487. <br>
  488. <br>
  489. <A NAME="54"></A>
  490. <bold>*** 4. Protecting system configs</bold>
  491. <br>
  492. <br>
  493. This is tricky. It is easy to achieve but for a price.
  494. If we create an account with uid which has his homedir in /home
  495. and is hence protected by our CFS configuration, you need to
  496. be at the console at every reboot. This isn't practical for server systems
  497. that need to be administrated and rebooted remotely.
  498. This solution is only good for end-user pcs.
  499. <br>
  500. <br>
  501. Just create an account with the uid 0 (e.g. with the login name "admin").
  502. You can use the create_user script from section IX.
  503. <br>
  504. Put all your sensitive configuration files you want to protect into this
  505. directory (ppp dialup scripts, sendmail.cf configs, squid configs
  506. with their cache directory set to a subdir of "admin" etc.)
  507. <br>
  508. Now create a small shellscript which starts these daemons with a command
  509. line option to use the config files in your "admin" homedir.
  510. <br>
  511. <br>
  512. Your system is then secure from extracting the sensitive information
  513. from the config files. But for a price. You have to log in after each
  514. reboot as user "admin", enter your CFS passphrase and start the script.
  515. <br>
  516. <br>
  517. <br>
  518. <A NAME="55"></A>
  519. <bold>*** 5. Computer Memory and sensitive /proc interfaces</bold>
  520. <br>
  521. <br>
  522. For a real multiuser system on which the administrator want additionally
  523. ensure the privacy of the user online, he has to hide the user process
  524. information, a user would normally see when issuing a "who" or "ps"
  525. command. To protect the user's process information, you can use
  526. Solar Designer's secure-linux kernel patch. To protect the utmp/wtmp/lastlog
  527. we ensure that these files are only readable by root and group tty,
  528. hence a normal user can't access this data. (This is done in the boot.local
  529. example script)
  530. <br>
  531. Now one problem is left. Even with normal RAM a well funded organisation
  532. can get the contents after the system is powered off. With the modern
  533. SDRAM it's even worse, where the data stays on the RAM permanently until
  534. new data is written. For this, I introduced a small tool for the
  535. secure_delete package 2.1, called "smem" which tries to clean the memory.
  536. This one should be called on shutdown. It is done in the example
  537. in section <a href="64">VI.4</a>
  538. <br>
  539. <br>
  540. <br>
  541. <br>
  542. <A NAME="6"></A>
  543. <bold>* VI. DELETE(D) DATA AND SWAP</bold>
  544. <br>
  545. <A NAME="61"></A>
  546. <bold>*** 1. How to delete files in a secure way<</bold>
  547. <br>
  548. <br>
  549. When a file is deleted, only the inode data is freed, the contents of
  550. the data is NOT wiped and can be gathered with tools like "dd" or the
  551. tool manpipulate_data from THC.
  552. <br>
  553. <br>
  554. Peter Gutmann wrote a paper with the name "Secure Deletion of Data from
  555. Magnetic and Solid-State Memory" presented 1996 at the 6th Usenix Security
  556. Symposium. This is the best civilian paper on how to wipe data in a way that
  557. it is hard for even electronic microscopes to regain the data.
  558. <br>
  559. There are four tools out there which uses the techniques described there,
  560. two called "wipe", one called "srm" from THC's secure_delete package and
  561. "shred" which is part of the new fileutil package from GNU.
  562. <br>
  563. Ours is still the best from it's design, features and security, and it
  564. has also all important and advanced commandline options and speed you need.
  565. <br>
  566. <br>
  567. To use one of these tools for deletion just set an alias in /etc/profile:
  568. <pre> alias rm=srm # or wipe or shred
  569. </pre>
  570. or even better, move /bin/rm to /bin/rm.orig and copy the secure delete
  571. program to /bin/rm. This ensures, that all data which is deleted via
  572. rm is securely wiped.
  573. <br>
  574. <br>
  575. If you can't install THC's secure_delete package or any other (for any
  576. reason) you can also set the wipe flag from the ext2 filesystem on files
  577. you wish to wipe before rm'ing them. It's nearly the same, but it's NOT
  578. a secure wipe like mentioned above. It's set by:
  579. <pre> chattr +s filename(s)
  580. </pre>
  581. <br>
  582. <br>
  583. [Note that it is *still* possible for a well funded organisation to get your
  584. data. Don't rely on this! See section <a href="64">VI.4</a> !]
  585. <br>
  586. <br>
  587. <br>
  588. <A NAME="62"></A>
  589. <bold>*** 2. How to wipe free disk space</bold>
  590. <br>
  591. <br>
  592. Most times applications like the editor in your mail program write a
  593. temporary file. And you don't know about it - you weren't even asked :(
  594. Because they don't wipe the data in a secure way, an attacker can
  595. get all your private emails just because you didn't know. That's bad.
  596. <br>
  597. The solution: You use a wiper program which cleans all unused data
  598. from the disk partitions.
  599. <br>
  600. The only one available is the one from THC's secure_delete package.
  601. You could put "sfill" (that is what it is called) in you crontab so it is
  602. run regulary but this might create problems when at this moment this space
  603. is needed by an important application. At least when the system shuts down,
  604. sfill should be called.
  605. <br>
  606. Put this in the "stop" part of a late rc2.d script:
  607. <pre> sfill -llf /tmp 2&gt; /dev/null
  608. sfill -llf /var/spool 2&gt; /dev/null
  609. </pre>
  610. <br>
  611. <br>
  612. Note that it is a good idea to generate a new paritition for /tmp itself,
  613. and putting a symlink from /usr/tmp and /var/tmp to /tmp. This way it is
  614. easier to control and wipe.
  615. <br>
  616. <br>
  617. Again, if you can't install the secure_delete package for any reason,
  618. you can also use this solution (slower and not as secure):
  619. <pre> dd if=/dev/zero of=/tmp/cleanup
  620. sync
  621. rm /tmp/cleanup
  622. </pre>
  623. <br>
  624. <br>
  625. <br>
  626. <A NAME="63"></A>
  627. <bold>*** 3. How to handle swap data</bold>
  628. <br>
  629. <br>
  630. Securely wiping files and free diskspace - well what's left?
  631. Today, harddisk MB's are cheaper than RAM, thats why swap space is used to
  632. expand the available RAM. This is in reality a file or partition on your
  633. harddisk. And can have your sensitive data in it.
  634. <br>
  635. <br>
  636. Again there is only one tool which helps you out here, "sswap" from THC's
  637. secure_delete package ;-)
  638. <br>
  639. Put this line after the "swapoff" line in /sbin/init.d/halt:
  640. <pre> sswap -l /dev/XXXX # the device for your swap, check /etc/fstab
  641. </pre>
  642. <br>
  643. <br>
  644. <br>
  645. <A NAME="64"></A>
  646. <bold>*** 4. How to handle RAM</bold>
  647. <br>
  648. <br>
  649. In section <a href="55">V.5</a> I wrote about sensitive information in your RAM, the fast
  650. memory of your computer system. It can hold very sensitive information
  651. like the email you wrote before pgp'ing it, passwords, anything.
  652. <br>
  653. To ensure, that the memory is cleaned, use the smem utility.
  654. <br>
  655. It should be called like this in the stop part of a late rc2.d script (as
  656. already mentioned above), after the wiping the file of /tmp etc. and
  657. then wiping the free memory:
  658. <pre> smem -ll
  659. </pre>
  660. <br>
  661. <br>
  662. <br>
  663. <A NAME="65"></A>
  664. <bold>*** 5. Temporary data - it is evil</bold>
  665. <br>
  666. <br>
  667. After you have secured/anonymized/privatized your system so far everything's
  668. ready - or did you forget something?
  669. <br>
  670. Remember what we told you in section <a href="61">VI.1</a>, that temporary data is written
  671. somewhere and sometimes you don't know. If you are unlucky, all we've done
  672. here was useless. We have to ensure that there's no temporary data
  673. left on the devices and that it can't be recovered either.
  674. <br>
  675. We already dealed with /var/log, /var/run and sent email (/var/spool/...),
  676. and we wipe all free diskspace from our temporary disk locations.
  677. Now we must wipe also the temporary data.
  678. <br>
  679. Put this line in the stop part of a late rc2.d script (before sfill
  680. from <a href="63">VI.3</a>):
  681. <pre> ( cd /tmp ; ls -A | xargs -n 250 srm -r ; )
  682. </pre>
  683. Also a $USER/tmp directory should be created for all users under the CFS
  684. /home protection and a TMPDIR variable set to this directory.
  685. <br>
  686. <br>
  687. See section IX. for all these scripts ...
  688. <br>
  689. <br>
  690. <br>
  691. <br>
  692. <A NAME="7"></A>
  693. <bold>* VII. NETWORK CONNECTIONS</bold>
  694. <br>
  695. <br>
  696. This is a very specialized area of this document. I write here a few ways
  697. how someone can protect some of their data being transfered on the internet.
  698. <br>
  699. <br>
  700. The basic prerequisites are as following:
  701. You've got an external POP3 and SMTP (mail relayer) where you get and send
  702. your email. When your go on irc, you also don't like your real hostname
  703. being printed on the channels.
  704. <br>
  705. <br>
  706. Your external mail server should be in another country, because if maybe
  707. some official agencies think you're doing something illegal (and I'm sure
  708. you won't) it's harder to get a search warrant. It's also harder because
  709. companies or individuals that try to get your data would need to invest more
  710. time, work and money to get it.
  711. <br>
  712. <br>
  713. You can tunnel your SMTP and POP3 via ssh to the external mail server.
  714. <br>
  715. For POP3 this is easy, but for SMTP this is a bit harder.
  716. <br>
  717. Just as an example, irc traffic can be tunneled through this as well,
  718. but dcc stuff won't work (one way doesn't work, the other would reveal
  719. your ip address to the sender and the data is not encrypted on any part
  720. of the internet)
  721. <br>
  722. Note that you can also use redirectors and proxies to accomplish further
  723. redirecting for other protocols (www, irc, ftp proxies etc.)
  724. <br>
  725. <br>
  726. Thats all. All mail traffic (and as you can see below, irc traffic too) is
  727. being crypted between you and your mail/proxy server.
  728. <br>
  729. <br>
  730. sendmail.cf (important parts):
  731. <pre> DSsmtp:[127.0.0.1]
  732. DjTHE_DOMAIN_NAME_OF_YOUR_EMAIL
  733. DMTHE_DOMAIN_NAME_OF_YOUR_EMAIL
  734. - Msmtp, P=[IPC], F=mDFMuX, S=11/31, R=21, E=\r\n, L=990,
  735. + Msmtp, P=[IPC], F=mDFMuXk, S=11/31, R=21, E=\r\n, L=990,
  736. </pre>
  737. (add the "k" switch to the smtp option config line)
  738. <br>
  739. <br>
  740. ~user/.fetchmailrc:
  741. <pre> poll localhost protocol POP3:
  742. user USER_REMOTE with pass PASSWORD_REMOTE is USER_LOCAL here
  743. mda "/usr/sbin/sendmail -oem USER_LOCAL"
  744. </pre>
  745. (enter the corresponding USER_* and PASSWORD in here)
  746. <br>
  747. <br>
  748. The ssh commandline which tunnels the traffic for POP3, SMTP and irc:
  749. <pre> ssh -a -f -x -L 110:localhost:110 -L 6667:irc.server.com:6667 -L \
  750. 25:localhost:25 your_mail_server.com
  751. </pre>
  752. <br>
  753. <br>
  754. That's all. I won't tell you more. Use your brain ;-)
  755. <br>
  756. <br>
  757. <br>
  758. <br>
  759. <A NAME="8"></A>
  760. <bold>* VIII. HIDING PRIVACY SETTINGS</bold>
  761. <A NAME="81"></A>
  762. <bold>*** 1. Mount is your friend</bold>
  763. <br>
  764. <br>
  765. Take a look at the following commands:
  766. <pre># ls -l /home
  767. total 3
  768. drwxr-x--- 1 root root 1024 Mar 28 14:53 admin
  769. drwxr-x--- 1 vh thc 1024 Mar 28 16:22 vh
  770. drwxr-x--- 1 user users 1024 Mar 28 11:22 user
  771. # mount -t ext2 /dev/hda11 /home # or a ramdisk, doesn't matter
  772. # ls -l /home
  773. total 0
  774. # : whoops, where are the homedirs ?
  775. # umount /home
  776. # ls -al /home
  777. total 3
  778. drwxr-x--- 1 root root 1024 Mar 28 14:53 admin
  779. drwxr-x--- 1 vh thc 1024 Mar 28 16:22 vh
  780. drwxr-x--- 1 user users 1024 Mar 28 11:22 user
  781. # : ah, yeah there they are again ...
  782. </pre>
  783. This is a nice feature to hide your crypted data and binaries.
  784. Just put your files into e.g. /usr/local/bin and /usr/local/crypt
  785. and mount a decoy filesystem over /usr/local. If you then have got
  786. a process started in your boot scripts which opens a file on the decoy
  787. filesystem, the filesystem can't be unmounted until the process is killed.
  788. This way, it's much harder for someone to detect your data!
  789. <br>
  790. <br>
  791. <br>
  792. <A NAME="82"></A>
  793. <bold>*** 2. Removable Medias</bold>
  794. <br>
  795. <br>
  796. An even better possibility is: put all your sensitive data on a removable
  797. media. Put your media in, mount it, it run the startscript from it
  798. to activate all the privacy stuff. This way you made it one step harder
  799. for someone to get to know whats going on.
  800. <br>
  801. <br>
  802. <A NAME="83"></A>
  803. <bold>*** 3. ???</bold>
  804. <br>
  805. <br>
  806. Any other ideas? Think about it! (and maybe send me your ideas ;-)
  807. <br>
  808. <br>
  809. <br>
  810. <br>
  811. <A NAME="9"></A>
  812. <bold>* IX. EXAMPLE CONFIGURATION AND SCRIPTS</bold>
  813. <br>
  814. <br>
  815. <a href="anonymous-unix-0.9.tar.gz">Click here</a> to download the
  816. <bold>anonymous-unix-0.9.tar.gz</bold> tools!
  817. <br>
  818. <br>
  819. <br>
  820. <br>
  821. <A NAME="10"></A>
  822. <bold>* X. FINAL COMMENTS</bold>
  823. <br>
  824. <A NAME="101"></A>
  825. <bold>*** 1. Where to get the tools mentioned in this text</bold>
  826. <br>
  827. <br>
  828. - Crypto Filesystems
  829. <ul>
  830. CFS (Cryptographic File System) <a href="http://www.replay.com">http://www.replay.com</a><br>
  831. TCFS (Transparent CFS) <a href="ftp://mikonos.dia.unisa.it/pub/tcfs">ftp://mikonos.dia.unisa.it/pub/tcfs/</a><br>
  832. SFS (Stegano File System) <a href="http://www.linux-security.org/sfs">http://www.linux-security.org/sfs</a><br>
  833. Crypto Loopback Filesystem <a href="ftp://ftp.csua.berkeley.edu/pub/cypherpunks/filesystems/linux/">ftp://ftp.csua.berkeley.edu/pub/cypherpunks/filesystems/linux/</a><br>
  834. </ul>
  835. - Tools
  836. <ul>
  837. THC's secure_delete package <a href="http://www.thc.org">http://www.thc.org</a><br>
  838. secure-linux kernel patch <a href="http://www.false.com/security">http://www.false.com/security</a><br>
  839. syslog-ng <a href="http://www.balabit.hu/products/syslog-ng.htm">http://www.balabit.hu/products/syslog-ng.htm</a><br>
  840. ssylog <a href="http://www.core-sdi.com/ssyslog">http://www.core-sdi.com/ssyslog</a><br>
  841. </ul>
  842. - The example Linux Distribution
  843. <ul>
  844. SuSE Linux Distribution <a href="http://www.suse.com">http://www.suse.com</a><br>
  845. </ul>
  846. <br>
  847. <A NAME="102"></A>
  848. <bold>*** 2. Additional thoughts</bold>
  849. <br>
  850. <br>
  851. The following problems are still present:
  852. <ul>
  853. - If an attacker can gain access to the system without rebooting
  854. and in time before data is wiped, unmounted, etc. these countermeasures
  855. are worthless.</ul>
  856. <ul>
  857. - If a really well funded organisation is trying to decrypt your
  858. data via brute force/dictionary or good electronic microscopes
  859. and technical staff with excellent knowhow, your wiping won't
  860. help you very much.</ul>
  861. <ul>
  862. - The solution for /var/spool/mail and /var/spool/mqueue etc. is far
  863. away from being perfect. Remember this. Ideas welcome.</ul>
  864. <ul>
  865. - The configuration of your system daemons can only be secured if
  866. you are present at the console after a reboot. That's the price.</ul>
  867. <ul>
  868. - It is not very hard to detect the privacy stuff done. This might
  869. bring you in trouble in countries like China or Iran. Removable
  870. medias might help, or try a crypto filesystem with stegano support.</ul>
  871. <br>
  872. Secure your system against unauthorized (from your point of view) access
  873. and use strong passwords.
  874. <br>
  875. <br>
  876. <br>
  877. <A NAME="103"></A>
  878. <bold>*** 3. Greetings (what would the world be without greets?)</bold>
  879. <br>
  880. <br>
  881. What would the world be without love and greetings? ;-)
  882. <br>
  883. <br>
  884. Greets to individuals (in alphabetic order):
  885. <ul>
  886. Doc Holiday, Froody, Fyodor, plasmoid, pragmatic, rookie,
  887. Solar Designer, Tick, Wilkins.</ul>
  888. <br>
  889. Greets to groups:
  890. <ul> ADM, THC (of course ;-) and arF</ul>
  891. <br>
  892. Greets to channel members:
  893. <ul> #bluebox, #hack, #hax, #!adm and #ccc</ul>
  894. <br>
  895. <br>
  896. <A NAME="104"></A>
  897. <bold>*** 4. How to contact me for updates or comments</bold>
  898. <br>
  899. <br>
  900. Please send me any further ideas you've got to make this documentation
  901. better! Did I wrote bad bad english in some part? Could I rephrase parts
  902. to make it easier to understand? What is wrong? What's missing? <a
  903. href="mailto:vh@reptile.rug.ac.be>Email me!</a>
  904. <br>
  905. Tell me (best with a corrected diff) and I'll update this text.
  906. <br>
  907. <br>
  908. <br>
  909. Please use my public pgp key below.
  910. <br>
  911. <br>
  912. <br>
  913. Ciao...
  914. <br><ul>
  915. <a href="mailto:vh@reptile.rug.ac.be">van Hauser / THC - [The Hacker's Choice]</a>
  916. </ul><br>
  917. <br>
  918. THC's Webpage -&gt; <a href="http://www.thc.org">http://www.thc.org</a>
  919. <br>
  920. (or <a href="http://thc.pimmel.com">http://thc.pimmel.com</a> or <a href="http://www.thc.org">http://www.thc.org</a>)
  921. <br>
  922. <PRE>
  923. Type Bits/KeyID Date User ID
  924. pub 2048/CDD6A571 1998/04/27 van Hauser / THC &lt;vh@reptile.rug.ac.be&gt;
  925. -----BEGIN PGP PUBLIC KEY BLOCK-----
  926. Version: 2.6.3i
  927. mQENAzVE0A4AAAEIAOzKPhKBDFDyeTvMKQ1xx6781tEdIYgrkrsUEL6VoJ8H8CIU
  928. SeXDuCVu3JlMKITD6nPMFJ/DT0iKHgnHUZGdCQEk/b1YHUYOcig1DPGsg3WeTX7L
  929. XL1M4DwqDvPz5QUQ+U+VHuNOUzgxfcjhHsjJj2qorVZ/T5x4k3U960CMJ11eOVNC
  930. meD/+c6a2FfLZJG0sJ/kIZ9HUkY/dvXDInOJaalQc1mYjkvfcPsSzas4ddiXiDyc
  931. QcKX+HAXIdmT7bjq5+JS6yspnBvIZC55tB7ci2axTjwpkdzJBZIkCoBlWsDXNwyq
  932. s70Lo3H9dcaNt4ubz5OMVIvJHFMCEtIGS83WpXEABRG0J3ZhbiBIYXVzZXIgLyBU
  933. SEMgPHZoQHJlcHRpbGUucnVnLmFjLmJlPokAlQMFEDVE0D7Kb9wCOxiMfQEBvpAD
  934. /3UCDgJs1CNg/zpLhRuUBlYsZ1kimb9cbB/ufL1I4lYM5WMyw+YfGN0p02oY4pVn
  935. CQN6ca5OsqeXHWfn7LxBT3lXEPCckd+vb9LPPCzuDPS/zYnOkUXgUQdPo69B04dl
  936. C9C1YXcZjplYso2q3NYnuc0lu7WVD0qT52snNUDkd19ciQEVAwUQNUTQDhLSBkvN
  937. 1qVxAQGRTwgA05OmurXHVByFcvDaBRMhX6pKbTiVKh8HdJa8IdvuqHOcYFZ2L+xZ
  938. PAQy2WCqeakvss9Xn9I28/PQZ+6TmqWUmG0qgxe5MwkaXWxszKwRsQ8hH+bcppsZ
  939. 2/Q3BxSfPege4PPwFWsajnymsnmhdVvvrt69grzJDm+iMK0WR33+RvtgjUj+i22X
  940. lpt5hLHufDatQzukMu4R84M1tbGnUCNF0wICrU4U503yCA4DT/1eMoDXI0BQXmM/
  941. Ygk9bO2Icy+lw1WPodrWmg4TJhdIgxuYlNLIu6TyqDYxjA/c525cBbdqwoE+YvUI
  942. o7CN/bJN0bKg1Y/BMTHEK3mpRLLWxVMRYw==
  943. =MdzX
  944. -----END PGP PUBLIC KEY BLOCK-----
  945. </PRE>
  946. </BODY>
  947. </HTML>