Your Linux server is accessible from the Web and someone has hacked into it. Luckily, you have a HoneyPot set up to trap the illegal entrant and put him into a make-believe world, while you do a trace back and cancel the connection. Good. But what if the hacker is on your console? In this article, we set up a HoneyPot-style environment for consoles.
We assume that you've installed PCQLinux 2004 (or FC2). We recommend performing the following procedure on a separate partition or a different hard disk, but you can also continue by creating a folder for it. Whether you are using a new partition or hard disk or just a folder, let's call it
'/pcq-jail'.
We will create an imitation directory structure of the real thing. For, a hacker with shell-access can see a lot more and do a lot more damage than someone from the Web. When the hacker logs on, he cannot exit the immitation directory you have created, even if it is just a sub directory. What actually happens is that we create a wrapper to fool the user's shell into thinking he is seeing the full file system. Make sure that any configuration files and settings that we put there (including copies of the 'passwd' file) contain dummy information.
|
Appoint the Jail warden
Login as root and copy the provided 'jail_1.9a.tar.gz' from this month's CD to '/root' and issue:
# tar -zxvf /root/jail_1.9a.tar.gz
# cd /root/jail
# make
# make install
By default, the Jail binaries are installed in /usr/local/bin. The Jail program is installed and we're ready to finish other configuration by creating a virtualized environment, adding some applications and users.
Build the Jail
While logged on as root, follow the steps below.
# /usr/local/bin/mkjailenv /pcq-jail
# usr/local/bin/addjailsw /pcq-jail
The 'mkjailenv' command will create the file system structure by recreating the 'bin', 'etc', 'usr', 'var' and some special 'dev' directories. The 'addjailsw' directory will add some typical software and commands to this file system while also copying some dependant files. Though these can be done manually, resolving file/library dependencies can be very tricky and time consuming. Note that the original copies of these files and software will continue to exist as they were.
Add inmates to the Jail
We have to add each user twice. First use them to the real system using the regular 'adduser' command. Then the 'addjailuser' command (belongs to our package) to add him to the jail. If the user pre-existed in the real system, you only need to run the 'addjailuser' step. For eg, to add an existing user called 'johndoe', just run:
# /usr/local/bin/addjailuser /pcq-jail /home/johndoe /bin/bash johndoe
In the above command, '/pcq-jail' is the full path to our jail file system. Read '/home/johndoe' as /pcq-jail/home/johndoe. '/bin/bash' is the shell for the user while 'johndoe' is the name of the user to Jail. Now when 'johndoe' logs in to this system,he will be automatically Jailed. This applies only to local and Telnet logins, and not to logins to websites via Apache or SFTP and so on.
Sujay V. Sarma