Who we are. James Flom (id) COO SecTheory Ltd http://ha.ckers.org/ http://sla.ckers.org/ http://www.sectheory.com/
Just a little faith… Date: May 31, 2007 09:34AM I know we will get hacked one day - it's a certainty. It's something I've come to terms with well before I even had a blog. You can't go through life fearing the inevitable. At the same time I do all I can to protect the site, given what it needs to do. There are a few holes in the site that I know of that would limit my own ability to function. I've been hardening those more as time goes on, but ultimately, it will take time (that I don't have) to make it iron clad. - RSnake
In the beginning… RSnake: “Hey id, you’ve got a server, want to host this ha.ckers.org site for me?” Uh, sure…
Stories! Imagecrash (343k) Drive from SB to SF First Slashdot First Reddit ISP shutdown (2x)
ha.ckers get’s a new home in Pleasonton, CA Hanging on a shelf in a 90⁰ garage…
ha.ckers get’s a new home in TX The ClickForensics telco closet of doom No pics, sorry
ha.ckers get’s a 2nd new home in TX Heat issues part 1 Stupid string/handle Power bill not paid Leaf Blower of Doom A little bit of B&E
ha.ckers gets a 3rd new home in TX Heat issues part 2… Free AV! Slowloris/DoS Tile saw of doom
ha.ckers gets a 4th new home in TX Don’t bump picture
Idiots Abound… I AM FURIOUS!!!!!!!!! One of your associates, ha.ckers.org has given me a virus. When ever i click on a link a box pops up saying a bunch of jibber jab but it does say: Host: Ha.ckers.org. Unless you and ha.ckers.org do not want to be sued you better figure out a way to get the virus you guys created off my computer pronto!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - Melissa Shaw
Network Features Firewall PF (OpenBSD) – Redirects traffic similar to a Cisco “static” translation – No egress traffic allowed from DMZ – Out interface ACL philosophy – DoS protection Floods Slowloris style attacks – Network separation Admin traffic never traverses the DMZ network.
Who are you? Do you have a permitted source IP to connect to the firewall? Do you have the correct cert? Do you have a user/pass (SSH) Do you have a permitted source IP to connect to the administrative proxy? Do you have the right URL path? Do you have a user/pass for.htaccess? Do you have authentication to the application? Will the browser allow the connection (Robert’s Preso)?
OS Security Can only access the administrative interfaces via secure admin network/bastion host Jails are mounted read only – even if compromised they cannot be rootkitted Only have to upgrade the Base Jail No real users live in the jails – files owned by no known user to the jailed OS No binaries not needed by the jails are in the Base Jail
Logging Everything that can log does log All logs are aggregated to log host that is not reachable by any DMZ host OSSEC used to aggregate and monitor logs with custom rules Logs are off the host and onto the log host as they are generated Forensics are done every day
New Generation Network Switched to relayd – OpenBSD implementation – SSL acceleration so packets can be read on the egress Each virtual interface gets it’s own network stack and firewall ruleset
Next Generation OS Completely read only jails Unique Base Jails for each type of server Logging via UNIX socket to parent OS – nothing touches the disk Further improvements in removing unneeded software Each jail has it’s own network stack and on host firewall