Re: Spykids

From: Thomas J. Boschloo (nospam_at_hccnet.nl)
Date: 07/28/05 

Date: Thu, 28 Jul 2005 11:58:49 +0200

-----BEGIN PGP SIGNED MESSAGE-----

The Doctor wrote:
> In article <MPG.1d52008b4f03a9a6989a7a@news-server.columbus.rr.com>,
> Leythos <void@nowhere.lan> wrote:
>
>>In article <dc8ti0$nld$2@gallifrey.nk.ca>, doctor@doctor.nl2k.ab.ca
>>says...
>>
>>>SPykids is a known defacer of Web Site. How does one prevent them
>>>from ever having access to Server or even a LAN?
>>>
>>>Customer complained:
>>>
>>>Spykids should not be able to get into our websites
>>>regardless of whether they are
>>>piggy-backing on a member or not. This has happened 2x so far.
>>
>>You need to learn how they are getting in, what measures you can do to
>>block it and such.
>>
>>First, put the web server behind a dedicated firewall, not a NAT box, a
>>firewall - only allow real HTTP or HTTPS sessions to it.
>>
>>Require users to have strong passwords, look it up if you don't know
>>what that means.
>>
>>Block IP networks that don't need access to your web sites - as an
>>example I block about 50 subnets in countries outside of our own and it
>>cuts down on a lot of attempts.
>>
>
>
> I am using pf via OpenBSD. What do I need to add?

Only install services that Apache needs and keep both your OpenBSD and
Apache fully patched at all times. If you do that, you won't even need a
firewall. But if the firewall is based on another computer, it doesn't
hurt much (iow, even a firewall can have its buffer overflows and other
stuff)..

Then there is 0-day exploits. Not much you can do about them I am afraid..

Also, change your passwords after a fresh install. And make them
unquessable (like not using the pw 'God' for your 'root' account).

Thomas
- --
Life is like a videogame with no chance to win - ATR
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQB5AwUBQuisWQEP2l8iXKAJAQEEmwMfXcrsBo5rSbU0sY0+oSbRbU/taK2xqlTg
AZoaBEDsAy8/8xvb1Do+jTQbRkg5SGi9daIbAV3aJgGyIt+gyW2kJ+FR3WZ6lt35
i3uHQ3c+Nw2JnA4e6QUQDiiULij7djQ7CBWh3Q==
=dMvm
-----END PGP SIGNATURE-----

Relevant Pages

  • Re: Spykids
    ... >>First, put the web server behind a dedicated firewall, not a NAT box, a ... > I am using pf via OpenBSD. ... Only install services that Apache needs and keep both your OpenBSD and ... Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org ...
    (comp.security.unix)
  • Re: Spykids
    ... >> I am using pf via OpenBSD. ... >Only install services that Apache needs and keep both your OpenBSD and ... >Apache fully patched at all times. ... But if the firewall is based on another computer, ...
    (comp.security.misc)
  • Re: Spykids
    ... >> I am using pf via OpenBSD. ... >Only install services that Apache needs and keep both your OpenBSD and ... >Apache fully patched at all times. ... But if the firewall is based on another computer, ...
    (comp.security.unix)
  • Re: Apache warning: DocumentRoot doesnot exist..
    ... run this tool as it will rewrite your firewall for you. ... (or in your case getsebool -a|grep http) ... setsebool toggles this setting now. ... Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org ...
    (RedHat)
  • Re: internet access over SSH?
    ... You need GnuPG to verify this message ... >> I've setup a linux webserver on our internal network that is now hosting ... >> SSH to effectively access the internal network, ... >> configure the firewall so that I can access this internal webserver as well? ...
    (comp.os.linux.networking)