Re: [jBoss-Dev] securing your servers

dferugson Mon, 22 Jan 2001 16:04:59 -0800
Yes! if you run it as root. The buffer overflow can give people root
But not if it isn't running as some silly user with no priv.

Filip Hanik wrote:
> 
> >ftp shouldn't be a problem if you run it as a demon
> 
> FTP (wu-ftpd) on RedHat 6.2 is one of the big security flaws on RedHat
> Linux.
> just a warning,
> 
> Filip
> 
> ~
> Namaste - I bow to the divine in you.
> ~
> Filip Hanik
> Technical Architect
> [EMAIL PROTECTED]
> 
> ----- Original Message -----
> From: "dferugson" <[EMAIL PROTECTED]>
> To: "jBoss Developer" <[EMAIL PROTECTED]>
> Sent: Monday, January 22, 2001 3:06 PM
> Subject: Re: [jBoss-Dev] securing your servers
> 
> ftp shouldn't be a problem if you run it as a demon with a user that has
> limited privileges
> I run proftpd with a user ftp who only has access to his home dir.
> 
> I also turn telnet off completely and I use ssh.
> You can also put ssh on port 9999 which doesn't show up on some port
> scanners.
> 
> I just use nmap to make sure I don't have any ports open except what i
> need.
> 
> ssh, httpd, ftp
> marc fleury wrote:
> >
> > |Another nice idea is to substitute telnet and ftp with some service that
> > |sents an alarm message to you. Perhaps you could also just make them
> > |look the same as telnet and ftp but let them collect every single
> > |keystroke (some sort of "honeypot") :-).
> >
> > fancy... but I can't write C for shit... :)
> >
> > do these exist out of the box???
> >
> > marc
> >
> > |
> > |Links:
> > |http://www.openwall.com/scanlogd/
> > |http://packetstorm.securify.com/linux/security/
> > |http://www.psionic.com/abacus/portsentry/
> > |http://sdetect.sourceforge.net/
> > |
> > |Tobias
> > |
> > |
> > |marc fleury wrote:
> > |>
> > |> yes, my home machine was hacked as well and then my provider machine
> from
> > |> there hence jboss down.
> > |>
> > |> It also proves "dreamhost" detected the intrusion (as I did) but
> > |wasn't able
> > |> to do anything to prevent it or repair it. :(
> > |>
> > |> I had to reinstall linux as well.  It seems the first script kiddies
> were
> > |> good and just "parasited" the machine but didn't damage it (and
> > |I don't mind
> > |> some parasites, all trees have them). But then a "sloppy" script
> > |kiddy came
> > |> along and boom.
> > |>
> > |> So being badly raped when I was a "security newbie" I decided to
> > |look at it
> > |> in detail.
> > |>
> > |> Fascinating, had a great time, didn't sleep much last week :)
> > |>
> > |> essentially I disable EVERYTHING (telnet, ftp), I use xinetd
> > |which is more
> > |> secure than inetd and then I turn off all the services in xinetd
> > |but pop3s a
> > |> secure pop version on ssl.  ssh is the only way to get in (telneat
> really
> > |> good on windows) Of course I do all the installation off line.
> > |And then I
> > |> put "tripwire" to monitor the main directories turn it on, once
> > |it is on I
> > |> put the machine online.
> > |>
> > |> then I downloaded a rootkit and diagnosed my own machine for attacks :)
> > |> fascinating.
> > |>
> > |> so much fun.  Anyone knows of a good "scan detector"?
> > |>
> > |> marc
> > |>
> > |> |-----Original Message-----
> > |> |From: [EMAIL PROTECTED]
> > |> |[mailto:[EMAIL PROTECTED]]On Behalf Of Filip Hanik
> > |> |Sent: Monday, January 22, 2001 10:22 AM
> > |> |To: jBoss Developer
> > |> |Subject: [jBoss-Dev] securing your servers
> > |> |
> > |> |
> > |> |Just wanted to let everybody that run RedHat at home (maybe
> > |even the JBoss
> > |> |servers?)
> > |> |I got hit by the Ramen Noodle worm on my server at home (I
> > |forgot to turn
> > |> |off some inetd services - in this case the print service) and my
> > |> |machine got
> > |> |rooted.
> > |> |This means, I have to reinstall my machine from scratch, so be
> > |careful all
> > |> |of you who run Linux (especially redhat).
> > |> |If you run FreeBSD your safe!! :)
> > |> |
> > |> |take a look at the article
> > |>
> |http://news.cnet.com/news/0-1003-200-4508359.html?tag=st.ne.1430735..ni
> > |> |
> > |> |Filip
> > |> |
> > |> |~
> > |> |Namaste - I bow to the divine in you.
> > |> |~
> > |> |Filip Hanik
> > |> |Technical Architect
> > |> |[EMAIL PROTECTED]
> > |> |
> > |> |----- Original Message -----
> > |> |From: "marc fleury" <[EMAIL PROTECTED]>
> > |> |To: "jBoss Developer" <[EMAIL PROTECTED]>
> > |> |Sent: Monday, January 22, 2001 9:55 AM
> > |> |Subject: RE: [jBoss-Dev] jndi/UserTransaction
> > |> |
> > |> |
> > |> |Hello,
> > |> |
> > |> |sorry for the delay I am finally out of the water re website
> > |(well almost).
> > |> |
> > |> |I am very interested in a integration of
> > |> |a/new TM or extended TM
> > |> |b/ Jeremie from France Telecom... it is the new JOnAS TM and I
> > |believe we
> > |> |can buy ourselves distributed TM with it.
> > |> |
> > |> |let me know if you time/energy/will to take that on.  To be quite
> > |> |frank I am
> > |> |thinking b/ first then talk to ole on possibilities for a/,
> > |> |
> > |> |marc
> > |> |
> > |> |
> > |> ||-----Original Message-----
> > |> ||From: [EMAIL PROTECTED]
> > |> ||[mailto:[EMAIL PROTECTED]]On Behalf Of Sethi , Manish
> > |> ||Sent: Sunday, January 14, 2001 7:51 AM
> > |> ||To: 'jBoss Developer '
> > |> ||Subject: RE: [jBoss-Dev] jndi/UserTransaction
> > |> ||
> > |> ||
> > |> ||Hi Everybody,
> > |> ||
> > |> ||Writing very first mail to the group.
> > |> ||
> > |> ||I have gone through present implementation og JTA. I want to
> > |help in it's
> > |> ||development. Now what I want to know is what should we choose out of
> > |> ||followings for this job.
> > |> ||
> > |> ||1. Should we implement JTS/OTS specs at the back. (Probably we
> > |> ||would have to
> > |> ||start form scrach...)
> > |> ||
> > |> ||OR
> > |> ||
> > |> ||2. Should we think of some mechanism of just making TXContext
> > |> ||movable around
> > |> ||the multiple JVM...
> > |> ||
> > |> ||
> > |> ||-Manish
> > |> ||
> > |> ||
> > |> ||-----Original Message-----
> > |> ||From: marc fleury
> > |> ||To: jBoss Developer
> > |> ||Sent: 1/12/01 10:34 AM
> > |> ||Subject: RE: [jBoss-Dev] jndi/UserTransaction
> > |> ||
> > |> |||Is there a known historical fix for this, such as substituting a
> > |> ||different
> > |> |||JTA implementation or JNDI implementation? That is, has
> > |someone already
> > |> ||
> > |> ||hi,
> > |> ||
> > |> ||the jndi implementation is an orthogonal issue.  We need to plug in a
> > |> ||distributed monitor (JTS/JTA) and hook it up to jndi. The plumbing
> > |> ||(propagation, thread association) is already there as it is an
> > |> ||adaptation of
> > |> ||the old jboss1.0 code.
> > |> ||
> > |> ||For the record, jboss1.0 used JOnAS distributed TM to provide
> > |> ||distributed
> > |> ||transactions.  We deliberately removed it from 2.0 to provide
> > |fast in VM
> > |> ||tm.
> > |> ||
> > |> ||Plugging a new TM is what is needed.
> > |> ||
> > |> ||marc
> > |> ||
> > |> ||
> > |> |||provided this functionality in the past and able to offer
> suggestions?
> > |> |||Distributed JTA and UserTransaction access by remote clients
> > |> |||through JNDI is
> > |> |||spec-required.
> > |> |||
> > |> |||Sean
> > |> |||
> > |> |||on 1/11/01 11:17 PM, marc fleury at [EMAIL PROTECTED] wrote:
> > |> |||
> > |> |||> userTransaction is for beans right now. I.e visible in JNDI
> > |of beans,
> > |> ||but
> > |> |||> NOT the globla JNDI.
> > |> |||>
> > |> |||> marc
> > |> |||>
> > |> |||>
> > |> |||> |-----Original Message-----
> > |> |||> |From: [EMAIL PROTECTED]
> > |> |||> |[mailto:[EMAIL PROTECTED]]On Behalf Of Scott M
> Stark
> > |> |||> |Sent: Wednesday, January 10, 2001 8:08 PM
> > |> |||> |To: jBoss Developer
> > |> |||> |Subject: Re: [jBoss-Dev] jndi/UserTransaction
> > |> |||> |
> > |> |||> |
> > |> |||> |Can't you just access it via the context.getUserTransaction()
> > |> ||method?
> > |> |||> |It is bound under java:comp/UserTransaction, but this is only
> > |> ||available
> > |> |||> |from within the EJB while the container is executing a method.
> Its
> > |> |||> |not visable vie jndiView.
> > |> |||> |
> > |> |||> |
> > |> |||> |----- Original Message -----
> > |> |||> |From: "Peter Braswell" <[EMAIL PROTECTED]>
> > |> |||> |To: "jBoss Developer" <[EMAIL PROTECTED]>
> > |> |||> |Sent: Wednesday, January 10, 2001 7:20 PM
> > |> |||> |Subject: [jBoss-Dev] jndi/UserTransaction
> > |> |||> |
> > |> |||> |
> > |> |||> |> All,
> > |> |||> |>
> > |> |||> |> I don't see (jndiView) where the a UserTransaction is
> > |> |||> |> bound.  I didn't find in the mail archives or docs
> > |> |||> |> anything indicating how this gets bound...
> > |> |||> |>
> > |> |||> |> Any hints?
> > |> |||> |>
> > |> |||> |> peter
> > |> |||> |>
> > |
> 
> --
> Doug Ferguson
> Software Developer
> www.coremetrics.com
> 512-342-2623x212
> 512-619-9972(cell)

-- 
Doug Ferguson
Software Developer
www.coremetrics.com
512-342-2623x212
512-619-9972(cell)
Re: [jBoss-Dev] securing your servers

Reply via email to
