[ale] read only filesystems (was: RE: [ale] firewalls on cd)

James P. Kinney III jkinney at localnetsolutions.com
Tue Dec 18 21:25:02 EST 2001


The system has to write _somewhere_ that is started. Several live CD's
use an initrd then symlink off the CD to the root tree. So the short
answer is maybe. Make / a ramdisk with nothing but /sbin then link in
all else. The stuff in /sbin can be marked immutable. Or for that matter
everything in /bin, /sbin, /etc. /root needs to be writable.

On Tue, 2001-12-18 at 20:39, John Wells wrote:
> Coyote Linux doesn't support pcmcia cards.
> 
> Are there any out there that do?  
> 
> Also, if you can run a complete distribution off of a
> cd, is it possible to make your own hd's filesystem
> read only?  I know the root filesystem is intially
> read only at boot...is it possible to cause it to
> remain that way and still function?
> 
> Thanks,
> John
> 
> 
> --- Charles Marcus <CharlesM at Media-Brokers.com> wrote:
> > Forgot about the physical - yes, if someone had
> > access to the floppy, they
> > could certainly make it writeable... good point, and
> > one reason to use a CD,
> > if the machine is not in a secure location.
> > 
> > Charles
> > 
> > > -----Original Message-----
> > > From: esoteric at denali.atlnet.com
> > [mailto:esoteric at denali.atlnet.com]On
> > > Behalf Of Geoffrey
> > > Sent: Tuesday, December 18, 2001 4:46 PM
> > > To: Ale (E-mail)
> > > Subject: Re: [ale] firewalls on cd
> > >
> > >
> > > Charles Marcus wrote:
> > > >
> > > > Coyote Linux is pretty kewl.  It is designed to
> > run from a
> > > floppy, but you
> > > > could probably hack it to run from a CD, but
> > don't see why
> > > you'd want to do
> > > > that... just keep backups of your boot disk and
> > firewall
> > > scripts, and you'll
> > > > be fine.
> > >
> > > As long as you have controlled access to the
> > floppy drive,
> > > you can make
> > > it as unwrittable as the cdrom.
> > >
> > > >
> > > > Charles
> > > >
> > > > > -----Original Message-----
> > > > > From: John Wells [mailto:jbwellsiv at yahoo.com]
> > > > > Sent: Tuesday, December 18, 2001 4:19 PM
> > > > > To: Ale at ale.org
> > > > > Subject: [ale] firewalls on cd (was [ale]
> > unidentified processes)
> > > > >
> > > > >
> > > > > Dow,
> > > > >
> > > > > Thanks for your reply, and for everyone who
> > has helped
> > > > > on my first iptables outing.
> > > > >
> > > > > Running a bootable CD sounds like a great
> > idea...and
> > > > > there seems to be quite a few options out
> > there.  Does
> > > > > anyone have recommendations on which to use? 
> > I've run
> > > > > across Sentry Firewall CD...what others are
> > available?
> > > > >
> > > > > Thanks,
> > > > > John
> > > > >
> > > > >
> > > > > --- Dow Hurst <dhurst at kennesaw.edu> wrote:
> > > > > > John,
> > > > > > Even though James email is funny, he is
> > absolutely
> > > > > > correct in the
> > > > > > approach.  The portmapper and rpc.statd are
> > RPC
> > > > > > based processes along
> > > > > > with NFS and NIS (RPC uses UDP traditionally
> > instead
> > > > > > of TCP
> > > > > > connections).  The portmapper advertises
> > what RPC
> > > > > > services are available
> > > > > > on particular ports to remote requests. 
> > rpc.statd
> > > > > > lets remote
> > > > > > applications and remoted machines "know"
> > what the
> > > > > > status, of the local
> > > > > > machine or application that is RPC enabled,
> > is.
> > > > > > Both services are
> > > > > > easily spoofed, cracked, and known cracks
> > are
> > > > > > available for both.  Since
> > > > > > you have had those running, as well as ftpd,
> > you
> > > > > > should reload from
> > > > > > scratch and choose to format your partitions
> > too.
> > > > > > This is faster and
> > > > > > less prone to mistakes than working thru
> > proving the
> > > > > > machine is clean.
> > > > > > (Even though that would be very
> > educational!)  No
> > > > > > service should be run
> > > > > > directly on a firewall machine that doesn't
> > have to
> > > > > > be.  That is why it
> > > > > > is recommended that you have a server inside
> > your
> > > > > > network for services
> > > > > > like Samba, NFS, and appletalk and not
> > combine your
> > > > > > firewall server with
> > > > > > that machine.  Running your firewall from a
> > CD
> > > > > > filesystem is a beautiful
> > > > > > suggestion.  Your cracker is limited even
> > more by
> > > > > > not being able to
> > > > > > change the read only system.  I need to look
> > into
> > > > > > that!
> > > > > >
> > > > > > One major difficulty in setting up a
> > firewall for
> > > > > > people not intimate
> > > > > > with Linux, or any OS that is used, is that
> > default
> > > > > > choices during
> > > > > > install can leave you quite vulnerable and
> > your not
> > > > > > even aware of it til
> > > > > > you learn more.  Use "netstat -an" to prove
> > that you
> > > > > > have *only* sshd
> > > > > > advertising a service on port 22 before you
> > hook
> > > > > > back up to the
> > > > > > Internet.  You don't even have to have that,
> > except
> > > > > > it is convenient and
> > > > > > secure for remote admin.
> > > > > >
> > > > > > Here is an excerpt from an email Bob sent me
> > just
> > > > > > the other day:
> > > > > > "Btw, we just put up the first of 4
> > firewalls at
> > > > > > this client (in
> > > > > > Europe).
> > > > > > It took only one hour and 34 minutes for
> > someone to
> > > > > > discover it and
> > > > > > start
> > > > > > breaking into it.  Within 20 minutes after
> > that, a
> > > > > > second cracker joined
> > > > > > in."
> > > > > >
> > > > > > So you see it doesn't take long for a scan
> > to find
> > > > > > you and start to
> > > > > > reveal possible entry points.  I would just
> > reload
> > > > > > to be on the safe
> > > > > > side.  With more experience and a good "dd"
> > backup,
> > > > > > you can quickly
> > > > > > identify differences in a file system to see
> > if your
> > > > > > hacked.  At my
> > > > > > workplace, we have been recovering from a
> > several
> > > > > > crackers for the past
> > > > > > year.  Nov. 2000 we had the telnetd hole
> > exploited
> > > > > > on most of our SGIs.
> > > > > > We don't have much manpower to rebuild
> > systems and
> > > > > > keep our work moving
> > > > > > along, so it has taken all year to work on
> > > > > > rebuilding machines.  Hope
> > > > > > this helps,
> > > > > > Dow
> > > > > >
> > > > > >
> > > > > > John Wells wrote:
> > > > > > >
> > > > > > > In addition to ftp and ssh, I have two
> > processes
> > > > > > > running on ports 111 and 1024.  They both
> > seem to
> > > > > > work
> > > > > > > with rpc, and are the portmapper and
> > rpc.statd
> > > > > > > respectively.
> > > > > > >
> > > > > > > Can I disable these processes without any
> > effect
> > > > > > to my
> > > > > > > system?  If so, I assume I just remove the
> > links
> > 
> === message truncated ===
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Check out Yahoo! Shopping and Yahoo! Auctions for all of
> your unique holiday gifts! Buy at http://shopping.yahoo.com
> or bid at http://auctions.yahoo.com
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
> 
-- 
James P. Kinney III   \Changing the mobile computing world/
President and COO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 



 This is a digitally signed message part




More information about the Ale mailing list