[TCLUG] Security

Thu Jun 7 08:46:25 CDT 2001

Hmmm ok. First off let me mention the machine with snort+Guardian is at a
different ISP so you would have to know where I'm connecting from to get
my mail. I'd be fascinated if that sort of thing is possible without
cracking the box the shell account is from. I'll just assume that the
shell machine keeps some sort of record of where I come from.

And actually, over an evening's sleep I've decided to not both with snort
since I expect the firewalling software+ruleset is pretty darn good. There
is a portsentry daemon taking requests on ftp,telnet,portmap, and
netbios-*. It just watches for connect()s and creates routing rules to
dump those folks off into lo1.

I guess I just figure that snort+something will just take up cpu time that
is better spent webserving. (mind you, I expose
ssh,sftp,http,https,smtp&submission). I guess I figure that there are
probably plenty of other hosts which are plenty more appealing. My one
real vunerability would probably be from a cgi program but I'm pretty darn
sure there's no simple way to crack that (it's a voter
registration+political campaign info db) since I wrote it myself and made
sure to protect it.

Am I just being overly naiive or is this reasonable? I'm very new to
internet security so what I know is gleaned from going through the
recommended reading lists.

Josh

___SIG___

On Thu, 7 Jun 2001, Austad, Jay wrote:

> >For a teeny site I don't think I would have to worry about
> >getting reverse DDoSed, or do I?
>
> You do now that the whole list knows you run Guardian.  :)  Just kidding.
> Actually, if you do use guardian, set it up so it will only block shady
> things done through TCP.  That way, you can be fairly sure that the attacker
> IP is not spoofed.  TCP connect() scans are a good one to block on, and most
> format string vulnerabilities (just make sure it's not one that has a good
> chance of being a false positive).
>
> I don't use anything like Guardian, I just make sure that all of my stuff is
> patched for the vulnerabilities that snort looks for.  As far as I'm
> concerned, I just get to collect more data for evidence by not blocking
> anything.  :)  And trust me, evidence comes in very handy, especially to Mr.
> FBI.
>
>
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>