I'm back again after several installs and and much security reading. Please excuse me for being in paranoid mode, in addition to being attacked for a month, I had an experience this morning I would like to tell you.
Pre-history:
Code:
Installed yesterday Ubuntu desktop 8.4.1 from alternate disk with LUKS on a lenovo T41,
without internet connected
Made the hardening instructions from this:
www.cromwell-intl.com/security/linux-hardening.html
except not changing /temp to a RAM fs.
Edited /etc/apt/sources.list for removing comments added by the installer.
Connected internet.
apt-get update
apt-get upgrade
apt-get dist-upgrade
installed libc6 (needed by Ossec)
installed Noscript 0.7.5.5 and Addblock plus 1.8.1
Disconnected internet.
installed Ossec 1.6
Installed thunderbird 2.0.0.16
copied my thunderbird profile from another computer.
Read my mail for the first time in a week.
Under the work above, the internet was only plugged in while communicating.
Rebooted with 7.10 Ubuntu Live CD
umount harddisk root.
Inserted an identical harddisk via USB to make a verbatim copy of the harddisk.
$ dd if=/dev/sda of=/dev/sdb bs=32768
After the copy finished I booted the 7.10 Ubuntu Live CD on a system without harddisk.
I plugged in the harddisk copy via USB
$ grub
> find /grub/stage1
> root (hd0,0)
> setup (hd0)
> quit
The original harddisk was now swapped with my copy and booted. Stored the original harddisk.
I booted and connected to the internet and fetched mail once more, disconnected internet and read the mail.
turned off the computer.
The T41 has not been on the net since this point.
This morning I then booted the computer, and it made a fsck and informed me an error on the boot sector was corrected. When the boot was done the computer was frozen.
I turned it off and then rebooted. This time the behavior seemed normal. Ossec has nothing to report.
After maybe 10 minutes it froze again. I then turned off and removed the extra 1GByte RAM, as I have never seen this Lenovo T41 freezing with the original RAM only. Writing this, the T41 has been alive for more than 2 hours without a freeze.
My questions are:
1. Have I installed in an unsafe way ?
2. Can a LUKS partition be hacked by an attacker by replacing fsck and setting the counter, so fsck is run at next boot ?
3. Can the replaced fsck replace the initial code run for LUKS password entry, store the password on the boot partition or some other free area of the disk for later retrieval, and do a complete cleanup ?
4. If point 3 is possible, can it be prevented, and how ?
Finally I will mention this special live CD edition of Kubuntu a friend directed me to, it has been a great help for me.
www.polippix.org
It is presently the only system I can use to log in at www.ebay.de, other systems ( OpenBSD and Ubuntu) repeatedly gives a fresh login screen after user and password entry.
This post is sent from the Polippix.
[Edit] Corrected wrong grub command in post, correctly done during work.
Bookmarks