submitted 4 days ago by lemmyuser@programming.dev to c/linux@programming.dev

14 comments fedilink hide all child comments

I wrote a dead simple file canary tool that will install an eBPF program that drops all outgoing packets if a canary is touched. I wrote this in response to the current trend of supply chain attacks that try to harvest credentials

you are viewing a single comment's thread
view the rest of the comments

[-] lemmyuser@programming.dev 14 points 4 days ago* (last edited 4 days ago)

There is a very high chance there are files you will never use that a credential harvester would be interested in. For example some look for certain wallets that I definitely don't have, so I create a canary file for that. You can also add $HOME/.ssh/id_rsa and $HOME/.ssh/id_ed25519 and then use nonstandard key names for your typical key usage etc.

I've been running this for a week now with no lost connections yet :)

[-] CameronDev@programming.dev 4 points 4 days ago

Okay, so not for protecting actual creds then. Makes sense, although would be nice to have a way to protect actual creds. No idea how that would be achievable though.

[-] lemmyuser@programming.dev 11 points 4 days ago* (last edited 4 days ago)

Right it's just for things you don't use but a credential harvester would find interesting.

I've been working a lot on containing the blast radius with some careful LXC usage, but this was a quick way to get some real value without a ton of thought.

this post was submitted on 25 Jun 2026

56 points (98.3% liked)

Linux

14131 readers

548 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 3 years ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev