Patching for Custom Config File Locations
While discussing the FIA via SSH article, one of my comments got some feedback; the comment was sudos config potentially giving the game away. A number of people suggested the same solution, patch where the source looks for the config file and compile it yourself. The idea is that you put a fake config file in the usual place, patch the source to use a different location and then compile the application. When it runs it leaves the fake config alone, uses the custom location you added and the attacker is none the wiser.
This isn’t difficult to do. For example a number of honeypot articles recommend patching syslog so the attacker doesn’t see a “log to remote host” config setting. Technically this works just fine. But that’s not where you pay the price…
Doing something like this is a small security win but a huge usability loss. Firstly, every time you want to upgrade the binaries you need to patch, compile and occasionally even package them. After you’ve done this step you need to find a way of incorporating their distribution with the rest of your software. Lastly you have the enjoyment of having a sysadmin spend half an hour changing settings, restarting the command/daemon and NOTHING HAPPENS! Why? Because they changed the default config file. Which is a fake… You’ll do this once and then swear off the technique for anything except a one man research box that you don’t want to keep current.