[NTLUG:Discuss] Stealth drop box

Leroy Tennison leroy_tennison at prodigy.net
Thu Aug 2 00:22:09 CDT 2007 

Michael Barnes wrote:
> I need to set up a drop box type operation.  I have a 
> server/firewall/router (CentOS5) that sits between two networks.  On the 
> admin network, the server is essentially invisible, no open ports, no 
> ping response, etc.  Nothing comes in, it only goes out.  However, I 
> need to have users input files to that machine.
> 
> I think what I want to do is have a public folder on a Linux server in 
> the admin net that users can drop files into, either through a file 
> manager (konqueror, Windows Exploder, etc.) or possibly dropping onto a 
> web page.  The stealth server would need to very frequently poll that 
> folder or otherwise find out there are files there, transfer them to 
> itself, then delete them from the public folder.  Security for the 
> internal stealth network is extremely tight.  I really don't want 
> something like a mounted folder.  Moving the files would likely be via 
> rsync or scp or similar.  But nothing can be pushed, it all has to be 
> pulled in.
> 
> On thing I don't know about for sure.  Is there a way to listen for some 
> type of broadcast packet, yet not be visible?  So if a file were dropped 
> into the public folder, that server could send out some type of UDP 
> packet or something that the stealth server could listen for, but no one 
> doing a port scan or anything would see the open port?
> 
> I am not looking for extensive programming or anything, and it doesn't 
> have to be like National Security Agency stuff.  But I do need it to be 
> protected.
> 
> Thanks for any ideas, suggestions, comments, alternate methods, etc.
> 
> Michael
> 
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
> 
I saw Greg's reply and, if the compliance/audit machine (I'm taking a 
wild guess here and also being somewhat cynical) can't be seen at all 
then Greg's approach handles it from the file sharing perspective.

However, the question which came to mind is "Define drop box".  Let's 
say that files get deposited on the known machine, is it OK for them to 
be seen there until they are picked up and deleted?  If not then file 
permissions can accomplish this.

Final question, how pervasively must this machine be hidden from the 
admin network?  It's presumably going to have an IP address on it. 
Sure, you can't ping it but if another device is added with that address 
(since no one knows it's there) then the trouble which is created may 
reveal it's existence.

The well known drop off point is going to have an ARP entry for the 
secret machine's NIC.  Netstat will show the secret machine's connection 
to the well-known machine.  If a program exists which can do an "arp 
scan" of the network then the secret machine's MAC address may well show up.

You also said that nothing comes into the secret machine, it only goes 
out (implied on to the admin network).  If the secret machine is sending 
packets onto the admin network then there will be evidence of it's 
existence even if it's to nothing more than packet analyzers.  Depending 
on what it's sending where, there may be log file entries.

Although there are solutions to at least some of these issues the point 
I'm making is that truly hiding the existence of a machine is a 
multi-faceted problem.  If "network existence" is a concern then shared 
storage (NAS, SAN or similar) with multiple disk system connections such 
as SCSI (rather than network connections) may make more sense.

More information about the Discuss mailing list