I think you're right.......up to now my mindset has been to use firewall rules to block all ports unless explicitely required. Usually use rules that specifically state this specific host in the DMZ can speak to this specific internal host over this specific port period. and of course turning off icmp response, etc. I only experience I have with browsers is as a user! ;> Guess I need to expand my scope a bit huh? cleve
At 12:33 PM 10/25/2003 -0500, you wrote: >Challison <[EMAIL PROTECTED]> writes: > > > Yep.....behind a firewall and it told me much as well. I.E. must > > advertise system info or something. > >all browsers do. All of this is part of standard HTTP. > > > On an interesting note......went to the site with my RH severn beta > > machine and the site collected most of the same info for that box. > > My take on this is that you need to tighten your security regardless > > of the OS you are running. > > Did I hear someone say Bastille? Tripwire? etc? > >Those things are not going to help. Your browser transmits this >information upon request. You could browse through a proxy or >anonymizer. A firewall doesn't help because, after all, you initiated >the connection. > >Your concern with this is the browser itself. some possible attack >vectors. 1)ActiveX 2)Java 3)Javascript (mostly denial of service >due to popups). buffer overflows introduced by the above three. >Cookies etc. > >Bastille and Tripwire are both good hard hardening tools (although >I think aide from http://aide.sf.net is probably an easier >to use replacement for TW). Bastille may help a little bit, but >probably no more than turning off java and the like. Building >web browsers and other items with buffer overflow protection is >another possibility (ProPolice). TW and AIDE will let you know >if you've been potentially exploited. > >It's actually a really GOOD idea to go to sites like this one >and particularly to run the port scans available. They will give >you a good idea of what your firewall looks like to intruders. >You should be unsurprised by what you see. If you are, you have more >work to do and more to learn :) > >-- >Scott Harney<[EMAIL PROTECTED]> >"...and one script to rule them all." >gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5 > >_______________________________________________ >General mailing list >[email protected] >http://brlug.net/mailman/listinfo/general_brlug.net
