| home | updates | download | manual | documents | feedback | search | ITS more |
|
DEFENSE AGAINST ATTACKERS
-
Immediately after an occurrence of fatal signal, like SIGSEGV or SIGBUS,
DeleGate stops serving to the client host which caused the fatal error,
since the error could be a sign of a failed trial of intrusion.
At the same time, to notify the incident, DeleGate will send a
report mail to the administrator named in the ADMIN parameter.
- TIMEOUT=shutout:N [30m] ... shortest attack retrial interval
- MAXIMA=randstack:N [32] ... randomize stack address
- MAXIMA=randenv:N [1024] ... randomize environment variable
- MAXIMA=randfd:N [32] ... randomize client's socket descriptor
- CHROOT=dirPath ... restrict accessible file space
- OWNER=user [nobody] ... restrict the ability of the DeleGate process
- ADMIN=E-mail-address ... must be correct and SMTP-deliverable
- DGSIGN=mask [V.R.P/Y.M.D] ... hide DeleGate version to client and server
- -Phost:port [0.0.0.0:] ... restrict the interface of an entrance port
- -Tx [off] ... disable execve() system call
- -Fimp [none] ... restrict users and capability of DeleGate executable
- MAXIMA=randstack:N [32] ... randomize stack address
Since the most typical method of attackers is buffer overflow on stack, expecting a target buffer resides at a certain address, randomizing stack address will be effective to decrease the probability of successful attack. And a failure of attack will cause a fatal error to be caught by DeleGate.
A suspicious client host will be shut out until a relevant file (under ADMDIR/shutout/) is removed, or the file is expired by TIMEOUT=shutout (30 minutes by default). For safety, TIMEOUT="shutout:0" (never timeout) is desirable not to give a second chance to the attacker. But as fatal errors are highly provably caused by usual bugs in DeleGate itself, it may be troublesome to be the default value...
Anyway you should be aware of following options if you are aware of preventing this kind of attacks, as well as access control configurations.
At the start up time, the original environment variables and command line arguments on stack area are moved to heap area and cleared not to be utilized for intrusion code by attackers. At the same time, a dummy environment variable named RANDENV with a value of random length (with maximum MAXIMA=randenv) is inserted to randomize addresses of environment variables to be inherited to child processes like filter programs and CGI programs.