-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ajay Pal Singh Atwal on Thursday 13 Oct 2005 14:48 wrote:
> >> Given my servers, I won't prefer experimentation with it. > Indeed, if it aint broke dont fix it :-) > >> How many people can I trust and how many of them can I control ? > We cant trust anyone. > >> A bunch of people in a group can be trusted because I might know them in >> person but your idea of _distributed monitoring_ will also include >> unwanted folks. > Ofcourse initially it has to start from within a closed group, ppl we > trust, but in case there are unwanted folks, would that make any > difference. I do believe there are more good ppl than bad ppl. > I'd never believe such beliefs. >> And what are audit and reporting tools for ? > They are always there, and we cannot live without them, but with ref to my > previous mail, so many new users are shifting to GNU/ Linux and if their > initial experience with GNU is difficult, we may not be able to retain > them for long. We can *always* tell them to RTFM, and do proper study, but > hey that is only possible in theory, "after reading a bunch of docs a GNU/ > Linux system can not be made rock solid" > This is my _personal_ opinion. There is no shortcut in life. All of us learned that way. I'd say, these days GNU/Linux is much simpler to learn because you at least have every thing working when you install it. Spoon feeding doesn't work. Do you think the institutions in the market that claim to teach you GNU/Linux in a quarter, really teach ? Grasping *nix technologies takes its own time. > Many ppl will need third party confirmations to know that their system is > atleast standable. > I still don't agree to this point. I'd never want to allow you or any one else whom I don't know, to get into my setup and scan and report me. > My point is, it is possible to do remote scanning, the kind of carried out > by bad ppl, and we try to find vulnerabilities, and we report them back > and not exploit them. > And also to do maybe routine checks for any change in services. And also > to point out possible configuration erros. A distributed system in which a > newbie knows **how to participate**. The community can help there. If some > ppl in the community are bad, the scale of the community will ensure that > the problem gets reported back, and maybe fixed, something like how FLOSS > works, how Free(dom) software works, share not sit on information and not > something like blacklisting the exploited system (that is what XBL and RBL > do). Blacklisting can be the last option. > > You can find so many ppl around who have no idea why their mail servers > are not able to send mail to yahoo/ rediff/ hotmail etc etc. > Let them learn. When they find that their mails are not accepted, they'll be forced to find out why which will make them learn. That's the way to learn. And tell me truly, how long does it take to figure out such a problem given we today have such a huge community ? And even if that doesn't help or the person isn't community comfortable, you always have the option of GNU/Linux consultants. Don't kill their businesses :-) >> On my servers logcheck informed me that they were being hit badly by some >> script kiddies who were continuously polling on port 22. >> Four iptables rule and it got done. > > How many IPs can we block, especially when the kiddo is maybe using a > dynamic IP address. And can the newbie do that? On other hand this > distributed system can be used to feed or act as a black list, that can > change dynamically, maybe against DDoS as well. > You know, iptables is a sexy tool. ## create denylog chain iptables -N denylog iptables -A denylog -j LOG iptables -A denylog -j DROP ## SSH Bruteforce iptables -N SSH_WHITELIST iptables -A SSH_WHITELIST -s 10.0.1.0/24 -m recent --remove --name SSH - -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set - --name SSH iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent - --update --seconds 60 --hitcount 4 --rttl --name SSH -j denylog Creates a whilelist of one or more networks. All others are subject to inspection. More than 4 hits within 60 seconds are denied. In case of 60 seconds without a hit, this rule is automatically cleared again. That's the magic of the "recent"-module of iptables. It works for me - and it's very useful! > Ofcourse all of this is just an idea and needs work/ improvements. > And as you suggested still workable on a smaller scale. > IMO your idea would be practical if you remove the _trust_ part from it. Make a framework assuming you don't know the other person. Allow the scanners to scan your servers in a way which doesn't breach your security (maybe some polling on ports). rrs - -- Ritesh Raj Sarraf RESEARCHUT -- http://www.researchut.com Gnupg Key ID: 04F130BC "Stealing logic from one person is plagiarism, stealing from many is research." "Necessity is the mother of invention." -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDTj7I4Rhi6gTxMLwRAm2LAJ9hAxdEboU5dJ+J+vyA47bMB4KPmACfQDgs JxWKhEDZQrlMyMrkNRcWMeg= =qVbT -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ linux-india-help mailing list linux-india-help@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-india-help
