Presentation is loading. Please wait.

Presentation is loading. Please wait.

Why ha.ckers. org doesn’t get hacked. Who we are. James Flom (id) COO SecTheory Ltd

Similar presentations


Presentation on theme: "Why ha.ckers. org doesn’t get hacked. Who we are. James Flom (id) COO SecTheory Ltd"— Presentation transcript:

1 Why ha.ckers. org doesn’t get hacked

2 Who we are. James Flom (id) COO SecTheory Ltd

3 Just a little faith… Date: May 31, :34AM I know we will get hacked one day - it's a certainty. It's something I've come to terms with well before I even had a blog. You can't go through life fearing the inevitable. At the same time I do all I can to protect the site, given what it needs to do. There are a few holes in the site that I know of that would limit my own ability to function. I've been hardening those more as time goes on, but ultimately, it will take time (that I don't have) to make it iron clad. - RSnake

4 In the beginning… RSnake: “Hey id, you’ve got a server, want to host this ha.ckers.org site for me?” Uh, sure…

5 Stories! Imagecrash (343k) Drive from SB to SF First Slashdot First Reddit ISP shutdown (2x)

6 /.

7 ha.ckers get’s a new home in Pleasonton, CA Hanging on a shelf in a 90⁰ garage…

8 ha.ckers get’s a new home in TX The ClickForensics telco closet of doom No pics, sorry 

9 ha.ckers get’s a 2nd new home in TX Heat issues part 1 Stupid string/handle Power bill not paid Leaf Blower of Doom A little bit of B&E

10 ha.ckers gets a 3rd new home in TX Heat issues part 2… Free AV! Slowloris/DoS Tile saw of doom

11 ha.ckers gets a 4th new home in TX Don’t bump picture

12 Idiots Abound… I AM FURIOUS!!!!!!!!! One of your associates, ha.ckers.org has given me a virus. When ever i click on a link a box pops up saying a bunch of jibber jab but it does say: Host: Ha.ckers.org. Unless you and ha.ckers.org do not want to be sued you better figure out a way to get the virus you guys created off my computer pronto!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - Melissa Shaw

13 The Network

14 Network Features Firewall PF (OpenBSD) – Redirects traffic similar to a Cisco “static” translation – No egress traffic allowed from DMZ – Out interface ACL philosophy – DoS protection Floods Slowloris style attacks – Network separation Admin traffic never traverses the DMZ network.

15 Who are you? Do you have a permitted source IP to connect to the firewall? Do you have the correct cert? Do you have a user/pass (SSH) Do you have a permitted source IP to connect to the administrative proxy? Do you have the right URL path? Do you have a user/pass for.htaccess? Do you have authentication to the application? Will the browser allow the connection (Robert’s Preso)?

16 I don’t trust you

17 Going to jail

18 OS Security Can only access the administrative interfaces via secure admin network/bastion host Jails are mounted read only – even if compromised they cannot be rootkitted Only have to upgrade the Base Jail No real users live in the jails – files owned by no known user to the jailed OS No binaries not needed by the jails are in the Base Jail

19 Logging Everything that can log does log All logs are aggregated to log host that is not reachable by any DMZ host OSSEC used to aggregate and monitor logs with custom rules Logs are off the host and onto the log host as they are generated Forensics are done every day

20 New Generation Network Switched to relayd – OpenBSD implementation – SSL acceleration so packets can be read on the egress Each virtual interface gets it’s own network stack and firewall ruleset

21 Next Generation OS Completely read only jails Unique Base Jails for each type of server Logging via UNIX socket to parent OS – nothing touches the disk Further improvements in removing unneeded software Each jail has it’s own network stack and on host firewall

22 ha.ckers gets a 5th new home in TX

23 Questions?


Download ppt "Why ha.ckers. org doesn’t get hacked. Who we are. James Flom (id) COO SecTheory Ltd"

Similar presentations


Ads by Google