Secret Hiding Places for your server

From CatchChallenger wiki
Jump to: navigation, search

Physical access to server allow other form for hacking: USB/hardware hack by driver, desoldering RAM to extract the private key, network rerouting...

In all case you need:

  • Power access, to power the electronic device
  • Internet access
  • Way to fast clean and reset the private key: easy access with a big button to local or remote access.

It's better to use rpi or similar to have less space and power problem.

Without update

Between two brink place, simple electric (just stole the electricity from this power wire by soldering a power connector) and RJ45 connected, before usage of Cement, paint to integrate the hidden place into a wall

It's better with vm (to always have remote host access to fix the guest in case of update failure) and never update the host because you will need break you hidden place in case of problem. Then Grsec + PaX is a good option (See Security).

Into your house

Integrate into the wall a small place with power plug, network RJ45 access. You will need a switch, then you can integrate it with the switch, maybe a bad idea because after you can upgrade the switch.

You can too use network over powerline, but the hardware is more hard too find, don't suggest the user to use it.

  • The home will be always powered.
  • The network wire is so easy and clean to use that's all user will use it, connect the router and then provide internet to you device (include if is you)
  • Try don't need wireless connexion as wifi, then can't be tracked by the wireless communication. As possible don't use wifi, use RJ45 shielded ethernet (Cat6 STP). Shield the device too (https://en.wikipedia.org/wiki/Electromagnetic_shielding https://en.wikipedia.org/wiki/Faraday_cage) if you don't user wireless communication.

With update

You can update the kernel, then virtualisation like LXC is more optional, if you break you device by a bad update you have physical access to fix it.

Solar and 3G

Solar rpi server, backed by traditional phone power supply

You can place it where do you want, into indoor (if the solar panel is out, well should work in common indoor room for the light). Take care to humidity and water.

For the communication, you can be located by your power emission. Install your device top a of building is a very good idea to have good communication quality. Use dual link: 3G and wifi and vpn/i2p, like this you will always have access, when a wifi is down you can connect to another wifi into your zone, ...

Adafruit provide rpi, 3G module, ...

Device

Opened router where you can put OpenWRT or another OS with your vm
Opened TV where you can put OpenElec and your vm with large amount of memory, cpu for your virtual machine

You can root a device to integrate your service into it (by pass the hypervisor?). Can be router, TV, smartphone, ...

All this device is very prone to have always internet. Don't be renewed everyday. But it's not a dedicated device. Then you need take care to cpu/memory/disk space usage.

You can integrate too it into the user space, like https://en.wikipedia.org/wiki/DLL_injection it's more visible but the most user don't care to it if the ressources usage is discret.

You can use GPU (google: driver linux binary radeon), to run program into the GPU. Mostly of OS/user/tools don't monitor the GPU. Or Hardware hypervisor, o light container like LXC (include with constructor ARM kernel, LXC should be compatible).

Firmware is a bad place because lack of network stack access (the main question is how redirect a network steam to the controlled device), and due to limited ressources. You can control device like hdd/ssd (the modern have real CPU, MB of memory), raid controller (Some are dual core cpu), some network controller (interresting for network access), and maybe more.

Reset

Local

Fitlet-x.png

On x86, ACPI allow an action when you press some button (sleep or power button). The power button of fitlet X is discret and effective, o sleep button of you case if is easy to access.

On ARM you can do it via GPIO.

A use full command: /sbin/cryptsetup luksClose encVol

Remote

See the local part to known how have a trigger. After you need chose your method to send the event to the remote server, ssh with authorised key is a good option because it don't keep the connexion open.