why ha.ckers. org doesn’t get hacked. who we are. james flom (id) coo sectheory ltd
TRANSCRIPT
Why ha.ckers.orgdoesn’t get hacked
Who we are.
• James Flom (id)• COO SecTheory Ltd• http://ha.ckers.org/ • http://sla.ckers.org/ • http://www.sectheory.com/
Just a little faith…
• Date: May 31, 2007 09:34AMI know we will get hacked one day - it's a certainty. It's something I've come to terms with well before I even had a blog. You can't go through life fearing the inevitable. At the same time I do all I can to protect the site, given what it needs to do. There are a few holes in the site that I know of that would limit my own ability to function. I've been hardening those more as time goes on, but ultimately, it will take time (that I don't have) to make it iron clad.
- RSnake
In the beginning…RSnake: “Hey id, you’ve got a server, want to host this ha.ckers.org site for me?”
Uh, sure…
Stories!
• Imagecrash (343k)• Drive from SB to SF• First Slashdot• First Reddit• ISP shutdown (2x)
/.
ha.ckers get’s a new home in Pleasonton, CA
Hanging on a shelf in a 90⁰ garage…
ha.ckers get’s a new home in TX
The ClickForensics telco closet of doomNo pics, sorry
ha.ckers get’s a 2nd new home in TX
• Heat issues part 1• Stupid string/handle• Power bill not paid• Leaf Blower of Doom• A little bit of B&E
ha.ckers gets a 3rd new home in TX
• Heat issues part 2…• Free AV!• Slowloris/DoS• Tile saw of doom
ha.ckers gets a 4th new home in TX
Don’t bump picture
Idiots Abound…
I AM FURIOUS!!!!!!!!! One of your associates, ha.ckers.org has given me a virus. When ever i click on a link a box pops up saying a bunch of jibber jab but it does say: Host: Ha.ckers.org. Unless you and ha.ckers.org do not want to be sued you better figure out a way to get the virus you guys created off my computer pronto!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
- Melissa Shaw
The Network
Network Features
• Firewall PF (OpenBSD)– Redirects traffic similar to a Cisco “static”
translation– No egress traffic allowed from DMZ– Out interface ACL philosophy– DoS protection
• Floods• Slowloris style attacks
– Network separation • Admin traffic never traverses the DMZ network.
Who are you?
• Do you have a permitted source IP to connect to the firewall?
• Do you have the correct cert?• Do you have a user/pass (SSH)• Do you have a permitted source IP to connect to the
administrative proxy?• Do you have the right URL path?• Do you have a user/pass for .htaccess?• Do you have authentication to the application?• Will the browser allow the connection (Robert’s Preso)?
I don’t trust you
Going to jail
OS Security
• Can only access the administrative interfaces via secure admin network/bastion host
• Jails are mounted read only – even if compromised they cannot be rootkitted
• Only have to upgrade the Base Jail• No real users live in the jails – files owned by no
known user to the jailed OS• No binaries not needed by the jails are in the
Base Jail
Logging
• Everything that can log does log• All logs are aggregated to log host that is not
reachable by any DMZ host• OSSEC used to aggregate and monitor logs
with custom rules• Logs are off the host and onto the log host as
they are generated• Forensics are done every day
New Generation Network
• Switched to relayd – OpenBSD implementation– SSL acceleration so packets can be read on the
egress• Each virtual interface gets it’s own network
stack and firewall ruleset
Next Generation OS
• Completely read only jails• Unique Base Jails for each type of server• Logging via UNIX socket to parent OS –
nothing touches the disk• Further improvements in removing unneeded
software• Each jail has it’s own network stack and on
host firewall
ha.ckers gets a 5th new home in TX
