On Tuesday 19 September 2006 07:30, Michael Christie wrote: > I'm in the throes of applying for level 2 Broadband for Health payment. > I'm supposed to check my firewall regularly.
The mere questions they ask reveal that the B4H guys have no clue. A few things I do: 0.) "root" and other "well known" users are excluded from remote connections (e.g. via ssh) - attempts to connect under such user ID leads to IP number banned from retrying - see below 1.) "fail2ban" - a small script that checks logs in fixed intervals (2 minutes here) for failed login attempts - any IP address that tried to log into any of the services (open ports) more than 3 times unsuccesfully gets banned for 10 minutes via automatic modification of the firewall rules. Those who retry after ten minutes I notify their ISP, still have to automate that part. It is usually people who are "owned", that is their computers are used as slaves for such attacks, and they are usually grateful for the hint. 2.) "chkrootkit" - another script that checks the system in fixed intervals for known rootkits and the network interfaces for unexpected activity / promiscuity. It sends me a report by email every 6 hours 3.) "logcheck" - another script that examines the system log and all application logs for abnormalities, and emails me the summary (if any) every hour 4.) netstat -lt & netstat -t output redirected into a file periodically, and a script mails me any active ports (both connection established or just listening) that are not in an "allowed" list 5.) temp directory is mounted as "non-executable" now = if anybody manages to exploit a web server hole and gains access to /tmp, he can do bugger all (other than filling /tmp with trash, but he cannot upload any executables and execute them) All these scripts and features are either part of Debian Linux or can be installed via simple "apt-get install fail2ban chkrootkit logcheck" if you are connected to the internet, and they get updated automatically via security,debian.org So all I have to do is read my email if I want to know if anything got past the firewall. All such email goes to a dedicated email account which always gets attended either by myself or my son (we both get copies via forwarders) - so we would know within an hour or less if there was any intrusion or persistent intrusion attempt (I am only interested in persistent attempts, general attempts happen literally every second of the day) Despite all this we had a recent intrusion via a security hole in TikiWiki on one server that was not quite up to scratch yet Horst _______________________________________________ Gpcg_talk mailing list [email protected] http://ozdocit.org/cgi-bin/mailman/listinfo/gpcg_talk
