On Fri, 21 Apr 2006 08:09:36 -0700, "Mark Lanctot" <[EMAIL PROTECTED]> said: > > Yes, if the attacker were to spoof the IP address, they could just walk > right in to SlimServer. And once they were in, there's an extensive set > of documentation both for the web interface and the CLI / TCP/IP > interface explaining just what they can do and how to do it.
The IP spoofing is definitely easier said than done. Spoofing a (packet oriented) UDP connection is quite possible (often used in DNS attacks) but AFAIK spoofing TCP connections (that require two way negotiations just to set up the link) are impossible if the attacker can't position himself somewhere in the local network, and if they've gotten as far as that you've got bigger problems. Also the slimserver CLI doesn't offer that much in the way of hacking. You can't just execute arbitrary OS commands. It's quite possible though that someone left a door open somewhere (I'd advise against leaving it open without filtering). The usual attacks are done with buffer overflows which are unlikely since the server is written in Perl, which has dynamic string allocation. Perl itself is very well tested (probably even better than sshd). > It's fortunate that SlimServer isn't widely known outside of the people > here, but security by obscurity is not much better than no security at > all. :-) I like the fact that security is built into SS but I doubt > if it has been subject to intense, repeated attack to see what breaks, > unlike certain other programs! > > I don't require any external access, have set IP address blocking, CSRF > protection to High and no port forwarding. External port scans indicate > these ports do not respond, just like all my other ports. If it was me, > I'd go for SSH. I'm not sure if VPN surpasses SSH protection or if it > can be used to supplement it. SSH is not bad for SoftSqueeze, but very cumbersome if used for connecting real SB hardware to servers on another location. Same with VPN. They're both unnecessary unless you're the Bank Of America, but you probably shouldn't be running slimserver in that case anyway. My preference would be to: - Use filtering on the router (port forwarding with ip filter) - Use filtering in the software firewall on the server machine - Use filtering in the application But definitely don't leave the server open on a publically accessible (standard) port. If a bug becomes known and the script kiddies get wind of it, they'll start scanning and the dominoes will start falling. As will the SB's image ;) Test your setup from a remote machine. Regards, Peter _______________________________________________ discuss mailing list [email protected] http://lists.slimdevices.com/lists/listinfo/discuss
