Dont forget to install the Suhosin patch for your PHP. A lot of attackers are using ISC.Dfind (w00tw00t) scanning to recon existing web apps. Suhosin at least adds another layer of defense.
On Tue, Jun 16, 2009 at 5:43 AM, dr. Hannibal Lecter <[email protected]>wrote: > > Thanks for your input. I don't think I want to go as far as snort (I'm > still inexperienced, and it seems like my broken FC5 doesn't have most > of the dependencies), I only want to limit HTTP/FTP/SSH access. What I > didn't mention earlier (now I think I should have), is that the break- > in happened via an unprotected (and old version of) phpMyAdmin. > Apparently, there was a very nasty exploit which allowed for file > upload and with that, many other nasty things. > > I'm really looking for a short-term solution, because I plan on > reformatting and installing Ubuntu when I get the time to do so. > > On Jun 15, 12:10 am, hard wyrd <[email protected]> wrote: > > I agree. In our case, we use Snort and guardian to fend of "possible" > > attackers. Though we added our own IP block into guardian's ignore list. > > > > On Sat, Jun 13, 2009 at 1:11 AM, Jeremiah Bess <[email protected] > >wrote: > > > > > > > > > > > > > While it is possible, not every ISP in France and Croatia will have a > .fr > > > or .hr reverse DNS entry. And as a security professional, I would > recommend > > > keeping the log line, since you can't assume everyone in France and > Croatia > > > are legitimate users, and logs are your friends. > > > > > Another note is that setting up security on a box is not a set it and > > > forget it tactic. It's constantly changing, and needs human > intervention. > > > Turn on extra logging, and review the logs on a regular basis. > > > > > Your best bet would be to install an IPS. This would look for brute > force > > > attacks and other attack vectors and block the offending IP. Snort can > be > > > used as a IPS, but it has a learning curve. BFD can be used, but only > detect > > > brute force attacks, not SQL injections or other maclious attempts. > > > > > Jeremiah E. Bess > > > Network Ninja, Penguin Geek, Father of four > > > > > On Fri, Jun 12, 2009 at 09:08, dr. Hannibal Lecter < > [email protected]>wrote: > > > > >> Hi all, > > > > >> As some of you might know, I'm still a noob, so bear with me :) > > > > >> I've recently experienced a terrible security breach on my test > > >> platform at work, which is an old Fedora 5 setup. > > > > >> Due to the fact that this platform needs to be accessible from Croatia > > >> and France, my idea was to block all countries using iptables using > > >> this technique: > > > > >>http://www.cyberciti.biz/faq/block-entier-country-using-iptables/ > > > > >> I'm still learning about iptables, but since the above method would > > >> introduce thousands of addresses in iptables in my case, I assume it > > >> would slow everything down. > > > > >> So my question is: is there a way to explicitly allow hr and fr zones > > >> as described in the article above, but drop everything else? > > > > >> Would it be enough to change the ISO codes in the script above to "hr > > >> fr" and change this line > > > > >> $IPT -A $SPAMLIST -s $ipblock -j DROP > > > > >> to > > > > >> $IPT -A $SPAMLIST -s $ipblock -j ACCEPT > > > > >> And then add this at the bottom: > > > > >> $IPT -A INPUT -j DROP > > > > >> ...or, there are more changes needed in the script? (I assume I won't > > >> be needing the LOG line anylonger) > > > > >> Thanks in advance! > > > > -- > > Part-time SysAd, full-time Dad, part-time netNinja > > CNS, ACFE, FOSS Advocate and Consultant > > Registered Linux User #400165http:/ > /www.rm2media.nethttp://baudizm.blogsome.comhttp://linuxblazon.wordpress.comhttp:// > 3x-comic.blogspot.com (NEW!) > > > -- Part-time SysAd, full-time Dad, part-time netNinja CNS, ACFE, FOSS Advocate and Consultant Registered Linux User #400165 http://www.rm2media.net http://baudizm.blogsome.com http://linuxblazon.wordpress.com http://3x-comic.blogspot.com (NEW!) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Linux Users Group. To post a message, send email to [email protected] To unsubscribe, send email to [email protected] For more options, visit our group at http://groups.google.com/group/linuxusersgroup -~----------~----~----~----~------~----~------~--~---
