Danny Rosseau / file-canary · GitLab
gitlab.com
GitLab.com

I wrote a dead simple file canary tool that will install an eBPF program that drops all outgoing packets if a canary is touched. I wrote this in response to the current trend of supply chain attacks that try to harvest credentials

  • BetterDev@programming.dev
    1·
    2 hours ago

    This is really cool. I appreciate you sharing it. I’m currently building out my homelab to try out various softwares and scenarios, and one of the things I’m worried about is malicious software sneaking in, and compromising my LAN.

    In the case that something does, this essentiallyy provides a tripwire which leaves all the evidence intact while stopping the bleed (unless it has a VM escape, but that’s another story).

    In any case, this is very useful and I’m really glad you made it. Thanks!

    • MonkderVierte@lemmy.zip
      1·
      39 minutes ago

      This should definitely not be run on a server unless you really know what you’re doing. You will lose all connectivity and you will never be able to get it back by normal means!

    • lemmyuser@programming.devOP
      1·
      37 minutes ago

      Yes you can -send-sigstop to SIGSTOP the process and then do whatever you’d like on your -on-touched-exe such as attach via ptrace, dump all memory, etc. My current one will send a notification and dump the memory of the offending process.

      Definitely pay attention to the warning about running this on a server. With a KVM attached in a home lab you should be able to easily recover I guess. I think you could also set yourself up a little UDP service to SIGUSR1 the daemon since incoming packets are not dropped, but I haven’t tested that.

    • lemmyuser@programming.devOP
      5·
      5 hours ago

      There is a very high chance there are files you will never use that a credential harvester would be interested in. For example some look for certain wallets that I definitely don’t have, so I create a canary file for that. You can also add $HOME/.ssh/id_rsa and $HOME/.ssh/id_ed25519 and then use nonstandard key names for your typical key usage etc.

      I’ve been running this for a week now with no lost connections yet :)

      • CameronDev@programming.dev
        3·
        5 hours ago

        Okay, so not for protecting actual creds then. Makes sense, although would be nice to have a way to protect actual creds. No idea how that would be achievable though.

        • lemmyuser@programming.devOP
          5·
          5 hours ago

          Right it’s just for things you don’t use but a credential harvester would find interesting.

          I’ve been working a lot on containing the blast radius with some careful LXC usage, but this was a quick way to get some real value without a ton of thought.