Re: lighting---hacked!

From: Erik (erik@geenspam.vanwesten.net)
Date: 05/14/02 

From: Erik <erik@geenspam.vanwesten.net>
Date: 14 May 2002 21:31:10 GMT

Alan W. Frame <alan.frame@acm.org> wrote:
> Simon Matthews <nobody@devnull.none> wrote:

> []
>> Your focus on IPCHAINS is mis-directed. The box is intended as a web and
>> mail server, correct? IPCHAINS and IPTABLES are really intended for
>> building firewalls

> Bzzzzt! Wrong!

> Iptables is for *every* box that's connected to *anything* else.

>> and, as I have mentioned before, you should not run a
>> web server on your firewall.

> True, but you should also have a firewall on your webserver - iptables
> *only* allowing new port 80 connections in, related traffic out on the
> public interface; and *only* ssh in (from specified IP addresses) on the
> private interface (if you must do remote admin rather than on the
> console)

>> In other words, don't rely on IPCHAINS to
>> stop a web server from being hacked.

> You rely on ipchains/iptables to stop inappropriate packets from
> reaching network sockets.

> You relay on an IDS to monitor and alert you to this.

> You rely on tcpwrappers to stop inappropriate packets reaching
> user-space applications.

> You relay on your logging to monitor and alert you to this.

> You rely on chroot to stop inappropriate applications reaching the
> filesystem.

> You relay on your logging to monitor and alert you to this.

> You rely on LIDS to stop inappropriate actions on your filesystem.

> You relay on your integrity checker to monitor and alert you to this.

> Tim/Ian/Luke/Eirik/anyone else: Am I paranoid enough? - Is this
> FAQ'able?

Add to the FAQ: explain about netbased firewalls and hostbased
firewalls, and why it's good to use both.

Add immutable iptables files, immutable static webpages etc. Something
more close to securelevel 2 in OpenBSD would be nice.

Add secure (remote) loghost.

Add protective router in front of firewall.

Add hogwash to alter/reject false packets entering your network.

You could have been a lot more paranoid as you can see and I'm sure I
forgot a lot more. ;-)

EJ 

-- 
For OpenBSD pf en nat rule examples: http://www.vanwesten.net

Relevant Pages

  • Re: store.exe limits
    ... Server 2003 Service Pack 1 on Windows Small Business Server 2003. ... A critical alert from the SBS monitoring tools regarding store.exe ... I wouldn't look at the Health Monitor for the average. ... >> If you haven't installed Exchange SP1, then it's possible that there is ...
    (microsoft.public.windows.server.sbs)
  • Re: lighting---hacked!
    ... > Your focus on IPCHAINS is mis-directed. ... > web server on your firewall. ... You relay on your logging to monitor and alert you to this. ...
    (comp.os.linux.security)
  • Re: script that will send notification right before reboot
    ... While WMI can indeed monitor the status of a service, ... I wonder if this is a robust way to alert you of a pending ... you pick is at the start of the shutdown chain or at its ... server continuously from some other machines. ...
    (microsoft.public.windows.server.scripting)
  • Re: Question about monitoring in SBS2K3 Prem. vs. SBS2K
    ... The fact that the Server Status snap-in has been ... useless Health Monitor. ... > Microsoft CSS Online Newsgroup Support ... > This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: 2 Critical Alerts since I added more RAM
    ... This newsgroup only focuses on SBS technical issues. ... Do you SBS server encounter any performance issue? ... The inetinfo.exe process uses lots of memory and memory usage continues to ... the allocating more memory than usual alert ...
    (microsoft.public.windows.server.sbs)