Re: lighting---hacked!

From: Tim Haynes (usenet@stirfried.vegetable.org.uk)
Date: 05/14/02

• Next message: Erik: "Re: lighting---hacked!"
• Previous message: Matt Shelton: "Re: Q : run apache"
• In reply to: Alan W. Frame: "Re: lighting---hacked!"
• Next in thread: Simon Matthews: "Re: lighting---hacked!"
• Reply: Simon Matthews: "Re: lighting---hacked!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Tim Haynes <usenet@stirfried.vegetable.org.uk>
Date: 14 May 2002 22:08:54 +0100

alan.frame@acm.org (Alan W. Frame) writes:

> Iptables is for *every* box that's connected to *anything* else.

Well said.

> > and, as I have mentioned before, you should not run a web server on
> > your firewall.
>
> True, but you should also have a firewall on your webserver - iptables
> *only* allowing new port 80 connections in, related traffic out on the
> public interface; and *only* ssh in (from specified IP addresses) on the
> private interface (if you must do remote admin rather than on the
> console)

Yes yes yes yes YES.

> > In other words, don't rely on IPCHAINS to stop a web server from being
> > hacked.
>
> You rely on ipchains/iptables to stop inappropriate packets from
> reaching network sockets.
>
> You relay on an IDS to monitor and alert you to this.
>
> You rely on tcpwrappers to stop inappropriate packets reaching
> user-space applications.
>
> You relay on your logging to monitor and alert you to this.
>
> You rely on chroot to stop inappropriate applications reaching the
> filesystem.
>
> You relay on your logging to monitor and alert you to this.
>
> You rely on LIDS to stop inappropriate actions on your filesystem.
>
> You relay on your integrity checker to monitor and alert you to this.
>
> Tim/Ian/Luke/Eirik/anyone else: Am I paranoid enough? - Is this
> FAQ'able?

FAQ! FAQ! Such a well thought-out progression is self-explanatory. Want FAQ
entry *now* please! :8)

~Tim

-- 
Too fast to live,                           |piglet@stirfried.vegetable.org.uk
too young to die                            |http://spodzone.org.uk/
bye bye.                                    |

---

• Next message: Erik: "Re: lighting---hacked!"
• Previous message: Matt Shelton: "Re: Q : run apache"
• In reply to: Alan W. Frame: "Re: lighting---hacked!"
• Next in thread: Simon Matthews: "Re: lighting---hacked!"
• Reply: Simon Matthews: "Re: lighting---hacked!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: lighting---hacked! ... > You rely on ipchains/iptables to stop inappropriate packets from ... > reaching network sockets. ... > You relay on your logging to monitor and alert you to this. ... (comp.os.linux.security) Re: function of multisync relay ... there are two transitions where the relay doesn't click. ... > monitor's power supply as required by different resolutions and scan rates. ... > If your monitor is anything like one of the NEC MultiSync 95 units I have, ... > then you have capacitors working on going bad in the monitor. ... (sci.electronics.repair) Re: Large Amount of Memory Message ... Once I've gone to the Health Monitor> Right click on Allocated Memory ... So I'm not sure what that is pertaining to or what is causing this value? ... You can disable this alert or change its threshold by using the Change ... (microsoft.public.windows.server.sbs) function of multisync relay ... I have an NEC MS75 CRT monitor that's 3 or 4 years old. ... There's a relay that clicks when I change resolutions ... resolutions, there are two transitions where the relay doesn't click. ... (sci.electronics.repair) Re: hvac control and ammeter ... the circuit breaker for the ... I'd like to monitor the current that the unit draws. ... I'm also planning on using a relay (Potter & Brumfield K10P-11D15-12, ... rated for 15A, 1/3HP, 120VAC) to control the unit. ... (sci.electronics.design)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)