User: Password:
Subscribe / Log in / New account

Known-exploit detection for the kernel

Known-exploit detection for the kernel

Posted Dec 19, 2013 2:23 UTC (Thu) by PaulWay (subscriber, #45600)
Parent article: Known-exploit detection for the kernel

As I see it, this makes sense for sysadmins who:

* use kernels with the CONFIG_EXPLOIT_DETECTION turned on (either rolling their own or using a distro's enabled kernel)
* have systems that are likely to be probed by script-kiddies
* want to know if they're being probed
* watch their logs

Now, that isn't everyone - but it's a lot of people, including me. Even if I discover the probing after the fact, there's a good chance that the script-kiddie won't clean the logs, so I can then shut the system down and restore from a good backup.

So I for one think this a good idea.

Have fun,


(Log in to post comments)

Known-exploit detection for the kernel

Posted Dec 19, 2013 6:14 UTC (Thu) by wahern (subscriber, #37304) [Link]

Script kiddies, by definition, don't need to worry about cleaning the logs. That's what their scripts are for. If the scripts don't do it now, they will. Script kiddies do the minimum possible. If you raise the bar, there's no reason to believe that it slows them down one iota.

Adding any security which can be easily circumvented is no security at all. All it takes is one person to write the circumvention code and to share it.

There are people doing the thankless job of actually preemptively scanning the code for vulnerabilities and fixing them. Those guys are priceless. Why they keep doing it when all the fame and adulation goes to this kind of stuff, port knocking, and other crazy schemes.... well, I wish their commitment could spread the same way interest in these schemes do.

These schemes only work as long as they're not widely adopted. Once they're widely adopted, they get added into the kiddie scripts. Then you're left with a bunch of useless code which only adds to your attack surface.

Known-exploit detection for the kernel

Posted Dec 19, 2013 7:11 UTC (Thu) by noxxi (subscriber, #4994) [Link]

From my understanding the code is not to fight new exploits, but to detect if a known and fixed exploit was tried. And because the exploit was fixed the script kiddie will have no way to clean the logs (unless it has another and better exploit).
Thus the log entry can be used as a canary by the admin to detect if an account might be compromised and lock it down before worse exploits will be tried.

Known-exploit detection for the kernel

Posted Dec 19, 2013 7:50 UTC (Thu) by dlang (subscriber, #313) [Link]

the better shops also ship their logs off of the local systems so that attempts to scrub the logs will fail.

Known-exploit detection for the kernel

Posted Dec 19, 2013 9:36 UTC (Thu) by zlynx (subscriber, #2285) [Link]

A really well informed attacker can try to jam the log server with nonsense UDP or TCP resets. He'd need access to the log server network of course.

If he can DOS the log server, it won't record anything except a pile of junk. Once he gets root he can kill -9 the log service, clean the logs and restart it.

Just another thing to watch out for.

Known-exploit detection for the kernel

Posted Dec 19, 2013 16:30 UTC (Thu) by Funcan (guest, #44209) [Link]

A sufficiently advanced attacked can also break in and steal the log server. I doubt most people are facing that level of APT most of the time though...

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds