Re: [SLUG] advice on security compliance
Rob, 2009/11/2 Robert Collins > On Mon, 2009-11-02 at 16:28 +1100, Daniel Bush wrote: > > I was following Rick's recent post about penetration testing with some > > interest. I'm looking at complying with anz e-gate for e-commerce > > transactions. ANZ has this declaration form for internet sites that you > > have to sign. One of the tick boxes says "Do you operate a firewall that > is > > regularly updated?" > > > > I have an iptables firewall which basically blocks all ip6 and all ip4 > > except for a couple of ports I expose to the internet. I don't see why I > > need to update it "regularly". > > Two primary reasons: > - iptables is not bug free. Few and far between, but not empty-of-bugs. > I mean updating the rules you use to filter packets not maintaining the software that does the filtering. Is that what you mean here? Maybe that's what this tick box means. I didn't think of that. I just assumed they're were talking about the filtering rules... > - ip4 and ip6 are not 'finished'. Every now and then a new RFC or even > std is released, and you need to update your firewall and routing rules > accordingly. (e.g. the nonroutable address space changes over time, so > you need to update your rules accordingly). > Must still be missing something here Rob. I just block everything except for the services I run on the public interface (and stuff on the internal loopback interface / localhost). Why do I need to worry about non-routables? > > Even if those two points didn't matter, if you admin the firewall using > ssh, and sshd has a bug permitting remote compromise, you'd be remiss > not to update that. > > I think this is a software update issue. As before I'm wondering if that is what the tick box meant. What confuses me is that I would have that as a separate tick box in itself, something like "do you regularly patch/maintain security updates for your software, especially firewall and related security systems?" That is not the issue I thought the tick box was addressing. I may be reading you all wrong here though :( > So, its an important checkbox, and if you're not maintaining your > firewall, don't tick it! (Worse still, if you think deny-all + a couple > of permits == correctly setup firewall - you need about 15 rules I > think, for a _minimally_ conformant firewall [that is, not in violation > of parts of the IP stack]). Ok, now you're worrying me. For a simple set up where you have an isolated box running a webserver and ssh: I have a default drop policy on all tables; a catch-all drop rule that logs certain things; I have some stateful rules so that I can talk to the outside world and several open ports on specified interface for tcp protocol where I am exposing services to the outside world. If the default is to drop everything except a specific set of ports on a specific interface using a specific transport why do I have to twiddle with these rules? Surely the only area of concern is the established/related stateful rules Is that what you mean? Are you reviewing the stateful part of your packet filtering firewall every week because you're worried it could get spoofed or something? If so, what is your strategy here and does it result in some sort of regular update? Or do you have default policy of accept which means you have to worry about closing stuff down all the time? I've always assumed drop so I don't even want to begin to think about the alternative. > Keeping on top of the whole mess is what is > implied by 'regularly updated', not turning on some vendor software-sync > button and forgetting about it. > > hm; as per my above comments. I'm pretty paranoid about my firewall. -- Daniel Bush -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Help -- I cannot boot into Ubuntu..
Hi Fellow Slugger, Sorry for kinda dissapearing this year, just had some stuff on, and I am currently in the US. I really need someone expert help. I have a new setup on a laptop. It's a very nice Dell Precision M4400. I have been running Ubuntu 9.04 for 3 weeks now with no problems. This morning I went to boot up my machine and got a weird gdm message "Could not start the X serverdue to some internal error" The only way I can boot into X is to do the following... sudo mount -o remount, rw / then I can run sudo /etc/init.d/gdm restart I get a message that there is already a session of X running blah blah, I say yes to start a new one and then I am in. I have to kill whiptail once I start as the CPU is going nuts... I am in the US working, i have a big next 4 days of training and would like to have my machine working. I am currently doing a backup of my home directory and seriously thinking about doing an online upgrade to 9.10 Your help is really appreciated. Scott -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] advice on security compliance
On Mon, 2009-11-02 at 16:28 +1100, Daniel Bush wrote: > I was following Rick's recent post about penetration testing with some > interest. I'm looking at complying with anz e-gate for e-commerce > transactions. ANZ has this declaration form for internet sites that you > have to sign. One of the tick boxes says "Do you operate a firewall that is > regularly updated?" > > I have an iptables firewall which basically blocks all ip6 and all ip4 > except for a couple of ports I expose to the internet. I don't see why I > need to update it "regularly". Two primary reasons: - iptables is not bug free. Few and far between, but not empty-of-bugs. - ip4 and ip6 are not 'finished'. Every now and then a new RFC or even std is released, and you need to update your firewall and routing rules accordingly. (e.g. the nonroutable address space changes over time, so you need to update your rules accordingly). Even if those two points didn't matter, if you admin the firewall using ssh, and sshd has a bug permitting remote compromise, you'd be remiss not to update that. So, its an important checkbox, and if you're not maintaining your firewall, don't tick it! (Worse still, if you think deny-all + a couple of permits == correctly setup firewall - you need about 15 rules I think, for a _minimally_ conformant firewall [that is, not in violation of parts of the IP stack]). Keeping on top of the whole mess is what is implied by 'regularly updated', not turning on some vendor software-sync button and forgetting about it. -Rob signature.asc Description: This is a digitally signed message part -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Pulse Audio
2009/11/2 Daniel Pittman > Heracles writes: > > G'day Heracles. > > > Sorry Daniel if I offended your favourite program. > > If I was particularly fond of PulseAudio I wouldn't have described it in > the > terms I chose at the end. Just sayin' > > > It is just that I have had to re-setup my sound several times now with > each > > ubuntu upgrade and it has almost always been a problem that could be lain > at > > the feet of PulseAudio. > > You would hardly be the first person. I think the PulseAudio developers > have > a similar view of Ubuntu, who they feel did about as bad a job as possible > in > integrating PA into the distribution. ;) > > I went back to debian after having a very hard time with an ubu upgrade not that long ago. It was both audio and graphics. Seems like debian doesn't use pulse by default and it's been great. If anything I feel like my system handles simultaneous playing of sounds from different apps more reliably. -- Daniel Bush -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] advice on security compliance
I was following Rick's recent post about penetration testing with some interest. I'm looking at complying with anz e-gate for e-commerce transactions. ANZ has this declaration form for internet sites that you have to sign. One of the tick boxes says "Do you operate a firewall that is regularly updated?" I have an iptables firewall which basically blocks all ip6 and all ip4 except for a couple of ports I expose to the internet. I don't see why I need to update it "regularly". Do people use any additional application-level filtering on top of iptables packet filtering for ssh or http (aside from any security configurations that these services already provide) ? (The services I'm exposing through iptables are ssh and http. ) If not, how do you deal with a compliance item that makes dubious sense and, if you answered it honestly, makes you look bad when you're not? The other thought I had was that it could be they are conflating my understanding of a what a "firewall" is with antivirus software. If people (staff even) are uploading stuff via http then maybe I need to scan such content to prevent my system acting as an agent for spreading viral content. But that's heading out of firewall territory. Regards, -- Daniel Bush -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: LTS worth anything? (was: Re: [SLUG] Announcement roundup from October meeting)
2009/11/2 Del > One of the things that the stable distros tend to miss out on is having the > latest updated device drivers. What it sounds like you're doing is trying to > get stuff working that while not bleeding-edge, probably does require updated > kernels and recent device drivers. So it sounds like LTS isn't for you. The bug I was referring to was to do with multi-lingual keyboards in X11, nothing to do with devices or hardware, which was supported well enough for me. Nothing to do with flashy new hardware but a simple oversight of a corner case by the implementers of the X login process. --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Pulse Audio
Heracles writes: G'day Heracles. > Sorry Daniel if I offended your favourite program. If I was particularly fond of PulseAudio I wouldn't have described it in the terms I chose at the end. Just sayin' > It is just that I have had to re-setup my sound several times now with each > ubuntu upgrade and it has almost always been a problem that could be lain at > the feet of PulseAudio. You would hardly be the first person. I think the PulseAudio developers have a similar view of Ubuntu, who they feel did about as bad a job as possible in integrating PA into the distribution. ;) > I have been able to solve the problem this time with Robert's advice and > editing of some files but in the past it has had to be removed to repair the > system and it took ubuntu desktop with it - not a characteristic of a well > behaved program. It has given me grief in the past so I have always > considered it malware but I take your point and will not do so in future. Well, it is your choice as to how you describe it; just expect that you might occasionally be asked to explain why it qualifies. :) Daniel -- ✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons Looking for work? Love Perl? In Melbourne, Australia? We are hiring. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Pulse Audio
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sorry Daniel if I offended your favourite program. It is just that I have had to re-setup my sound several times now with each ubuntu upgrade and it has almost always been a problem that could be lain at the feet of PulseAudio. I have been able to solve the problem this time with Robert's advice and editing of some files but in the past it has had to be removed to repair the system and it took ubuntu desktop with it - not a characteristic of a well behaved program. It has given me grief in the past so I have always considered it malware but I take your point and will not do so in future. Heracles Daniel Pittman wrote: > Heracles writes: > >> After upgrading to Ubuntu 9.10 I no longer have sound. lspci recognises my >> Creative Labs Live card but I get nothing out of it. >> >> Last time this happened I fixed it by the complete removal of Pulse Audio. > > What was PulseAudio doing that caused you to have problems with sound output? > > Have you checked if that is happening again? > > > If not, what exactly isn't working: is it just that GNOME applications through > libcanberra are not outputting audio, or other things? > > Does audio work if you tell an alsa application to talk direct to the > hardware? > > Have you checked the volume levels and mutes on the sound card? > > Is it actually supported? IIRC, at least some of the Creative cards required > firmware to offer various basic facilities — like sound — and didn't offer > other basic facilities — like mute — with anything that could be > redistributed. > > >> Is there a simple fix or do I just have to remove this malware. > > While PulseAudio may not work for you, throwing around the "malware" label is > the same as the people who unsubscribe from mailing lists by hitting the > "report as SPAM" button in their mail client: > > It is unhelpful, technically incorrect, and it makes you look kind of silly. > > A better approach is to say something like "...remove this awful, broken pile > of steaming refuse that I would be ashamed to allow to touch my systems." :) > > Daniel -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkruaIYACgkQybPcBAs9CE9Z+ACffMESMl9O1BeoYW/oI2Piq9q3 s6kAoJqRvLbV+pKvmB6SbLV8zXzf7Ein =IOor -END PGP SIGNATURE- -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] vmware server / debian kernel (testing)
Anyone successfully compiled or seen any docs on compiling vmware server 2.0.1 or 2.0.2 kernel modules for a stock standard debian kernel 2.6.30-2-686 ? Regards, -- Daniel Bush -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Pulse Audio
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks Robert, It was a little more complicated than that but you gave me the clues. I have several different distros on my system and the grub I needed was in a different filesystem. All fixed now I think. Haven't tried sound in utube as yet but everything else seems to work. Heracles Robert Collins wrote: > On Mon, 2009-11-02 at 12:36 +1100, Heracles wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> After upgrading to Ubuntu 9.10 I no longer have sound. lspci recognises >> my Creative Labs Live card but I get nothing out of it. Last time this >> happened I fixed it by the complete removal of Pulse Audio. >> Is there a simple fix or do I just have to remove this malware. > > check your kernel - uname -a - if the date is not from October, then run > 'sudo update-grub' and reboot. If that still has no sound (and not just > muted), do 'sudo update-initramfs' and reboot again. > > -Rob > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkruShEACgkQybPcBAs9CE+70wCdEsoA7C16J1j/FOoJiAuos6sg uPMAn2HxM99AgQPT3/J2aNIRGhpebZa0 =fZo3 -END PGP SIGNATURE- -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Pulse Audio
Heracles writes: > After upgrading to Ubuntu 9.10 I no longer have sound. lspci recognises my > Creative Labs Live card but I get nothing out of it. > > Last time this happened I fixed it by the complete removal of Pulse Audio. What was PulseAudio doing that caused you to have problems with sound output? Have you checked if that is happening again? If not, what exactly isn't working: is it just that GNOME applications through libcanberra are not outputting audio, or other things? Does audio work if you tell an alsa application to talk direct to the hardware? Have you checked the volume levels and mutes on the sound card? Is it actually supported? IIRC, at least some of the Creative cards required firmware to offer various basic facilities — like sound — and didn't offer other basic facilities — like mute — with anything that could be redistributed. > Is there a simple fix or do I just have to remove this malware. While PulseAudio may not work for you, throwing around the "malware" label is the same as the people who unsubscribe from mailing lists by hitting the "report as SPAM" button in their mail client: It is unhelpful, technically incorrect, and it makes you look kind of silly. A better approach is to say something like "...remove this awful, broken pile of steaming refuse that I would be ashamed to allow to touch my systems." :) Daniel -- ✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons Looking for work? Love Perl? In Melbourne, Australia? We are hiring. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Pulse Audio
On Mon, 2009-11-02 at 12:36 +1100, Heracles wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > After upgrading to Ubuntu 9.10 I no longer have sound. lspci recognises > my Creative Labs Live card but I get nothing out of it. Last time this > happened I fixed it by the complete removal of Pulse Audio. > Is there a simple fix or do I just have to remove this malware. check your kernel - uname -a - if the date is not from October, then run 'sudo update-grub' and reboot. If that still has no sound (and not just muted), do 'sudo update-initramfs' and reboot again. -Rob signature.asc Description: This is a digitally signed message part -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Pulse Audio
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 After upgrading to Ubuntu 9.10 I no longer have sound. lspci recognises my Creative Labs Live card but I get nothing out of it. Last time this happened I fixed it by the complete removal of Pulse Audio. Is there a simple fix or do I just have to remove this malware. Heracles -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkruN5wACgkQybPcBAs9CE+foQCfbAzL0zRrqizSEkBZvtygRzLP QkwAnRJ45AUWRzyVPhX+xtdDgnGEa6Vl =+CZs -END PGP SIGNATURE- -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: LTS worth anything? (was: Re: [SLUG] Announcement roundup from October meeting)
On Mon, Nov 02, 2009, Robert Collins wrote: > Ubuntu LTS gets 6 monthly driver-only updates :). Which can be a good and bad thing. Adrian, who has been bitten once or twice in the past from the driver updates to LTS. Stupid SCSI firmware. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: LTS worth anything? (was: Re: [SLUG] Announcement roundup from October meeting)
On Mon, 2009-11-02 at 11:14 +1100, Del wrote: > > One of the things that the stable distros tend to miss out on is > having > the latest updated device drivers. What it sounds like you're doing > is > trying to get stuff working that while not bleeding-edge, probably > does > require updated kernels and recent device drivers. So it sounds like > LTS isn't for you. Ubuntu LTS gets 6 monthly driver-only updates :). -Rob signature.asc Description: This is a digitally signed message part -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Announcement roundup from October meeting
James Polley wrote: - Or, you could buy it on a USB stick from the everythinglinux store which has just reopened. Online at http://www.elx.com.au/, or visit the store at 102/38 Oxley Street St Leonards. Just to correct that, the shop is at shop 3, 41 Oxley St Crows Nest. The above address is our office (although they're across the road from each other, and the staff at one will no doubt direct you to the other if needs be). http://www.elx.com.au/contact.php ... and we're closed on Mondays, so don't come by today, but we have Ubuntu 9.10 available on CD and USB stick any time from tomorrow. -- Del Babel Com Australia http://www.babel.com.au/ ph: 02 9966 9476 fax: 02 9906 2864 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: LTS worth anything? (was: Re: [SLUG] Announcement roundup from October meeting)
Amos Shapira wrote: The goal of trying to stick with LTS was to get a stable system - one where Skype will work with my webcam, mic and speaker, Firefox won't blow up on me and play Flash. I'm now with 9.04 which took a while to get Speaker working and mic doesn't work, I don't know whether it's a Skype problem or hardware except that the mic used to work with ALSA until PulseAudio was thrust on me. I'm not a gamer and don't have time to play with the latest and greatest, I just need to Get Things Done(tm) - monitor my work network (which is based on CentOS 5, great support and stability, BTW), browsing, e-mail (gmail, hosted exchange server (another sore point), skype (which doesn't do voice for months now), printing (which loses the printer every time it changes IP address). The reason that "stable" distros such as RHEL and CentOS and LTS exist is so that IT managers don't go into system shock when they are told they need to upgrade their stable servers every 6 months. So things like RHEL and LTS are based on known-working-in-a-datacentre packages where urgent bug fixes and security issues are fixed only, without any new functionality being added (e.g. to get newfangled devices working), and support is typically provided for 5-7 years. I and I'm sure many others have had much success getting RHEL, CentOS or LTS going on large numbers of servers in big data centres where long term stability is important. One of the things that the stable distros tend to miss out on is having the latest updated device drivers. What it sounds like you're doing is trying to get stuff working that while not bleeding-edge, probably does require updated kernels and recent device drivers. So it sounds like LTS isn't for you. Most of the recent (e.g. Ubuntu 9.10, Fedora 11, openSUSE 11, etc) distros we've played with have pretty good flash support, work well with webcams, mics, speakers, and have reasonably recent Firefoxes that tend not to explode. On the other hand CentOS 5.3 (which I use on my older desktop) has a Firefox that's a few revisions old. One of the tricks to getting Firefox, flash, skype etc, working well is to use a 32 bit distro rather than a 64 bit one. -- Del Babel Com Australia http://www.babel.com.au/ ph: 02 9966 9476 fax: 02 9906 2864 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Penetration Test
Rick Phillips writes: >> First, let me say that I am sorry you didn't appreciate the response, and >> the implied criticism of your plan. It was absolutely not my intention to >> offend, but rather to continue to question my own assumptions in the face >> of someone who disagreed with me. >> >> I regret that my statements came across poorly, and left you feeling unhappy. > > Nothing I have seen on the list that you said has made me the slightest bit > unhappy. Your comments are worthwhile and I appreciate them. Well, good, I guess. Not that there was something, but that it wasn't me. ;) [...] > I have a several occasions advised the department of our configuration and > security configuration but unfortunately, teachers get promoted into > technical positions and they freely admit they haven't a clue about what I > am saying. That adds to my difficulties as you can imagine and one has to > wonder what sort of technology decisions they are making. Pretty miserable ones, motivated by internal political pressure from various sources, at a guess. Oh, plus bribery. Never forget the benefits of vendor bribery in this sort of decision making process.[1] That is why I figure this is a mostly social problem, not a technical one. [...] > Thanks again for your very valuable input and my apologies if I insinuated > that you had upset me. It was a reference to another's comments (see > above). You didn't suggest it was me; I just looked at the comments and figured the odds were reasonable because no one else really said anything that could have triggered that. (...and I missed the "off-list" bit ;) Anyway, the one last thing I would suggest: you /may/ find it worthwhile to end up putting the Moodle system on a distinct machine that *doesn't* have any connection between the two networks. We both know that it is unlikely to be the problem, but sometimes you have to do silly things to work around political, or social, restrictions on how you can get the best job done. Oh, and I /think/ Moodle runs on Windows; if I, personally, had to go down that path I would look at running the native Win32 Apache and PHP code. (Plus, contact the vendor, who probably has good support for that combination, or possibly a better recommendation.) I say this because you really care about Moodle, not the Linux part, right? In that case you may find that, for example, the department are only happy about Windows as the OS[2], and care a *lot* less about the Moodle part... Daniel Footnotes: [1] Typically this is done with the best of intentions, with a lot of effort to try and get it right, but winds up there. We all would do the same if we ended up in a similar position, because we would have the same issues with not knowing what to do when hiring, say, teachers. ;) [2] In some cases they may even be right to say that Windows is more secure *in their organization* than Linux. After all, a badly maintained Linux machine can easily be less secure than a well maintained Windows server. -- ✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons Looking for work? Love Perl? In Melbourne, Australia? We are hiring. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Penetration Test
Tony Sceats writes: > IMHO something like this is best done by hiring professionals, as some > random person may or may not have the experience and skills they may or may > not suggest, giving you a false sense of security in their findings. Rick enquired about professionals. Just sayin' [...] > PPTP is generally not considered secure anymore anyway, although I don't > have any details at hand, and again, my info is all very old. Are you sure you should be giving advice about it, then, rather than confirming your suspicions before you say something worrying? In this case your memory is correct, however: MPPE encryption is fatally flawed, and no other common encryption method exists. This means that, in theory, a motivated attacker with full access to the link between the client and the server can decrypt the session as it passes. > I should say this again - if you are not using these extra services turn > them off! It will not look good if some pen tester breaks in here and is > then able to say the setup is insecure, despite this having no relation to > Moodle itself. *nod* This is good advice, IMO. Daniel -- ✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons Looking for work? Love Perl? In Melbourne, Australia? We are hiring. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Penetration Test
IMHO something like this is best done by hiring professionals, as some random person may or may not have the experience and skills they may or may not suggest, giving you a false sense of security in their findings. Anyway, having said that, having a poke around yourself is always fun and interesting and can also mean you can evaluate the results from an external audit yourself. It looks like you've run an nmap over your external IP address, which is a good enough start, however you might also be interested in running a nessus scan. http://www.nessus.org/download/ You should be careful though as some attacks this generates can crash your services, so don't run it at popular user times. Generally though, these should be referred to as 'Active scan' whilst a 'Passive scan' won't try to inject code etc, but enumerates services versions etc and can point you to information on known vulnerabilities. It's been a very long time since I've played with this, but it used to be very much user contributed scan codes so you couldn't trust a passive scan was not going to do something nasty, this may have changed. Anyway this is really recommended to try, although it looks commercialized since I used it, but it looks like you can still download and try it. Also, if you are not using PPTP and port 20,000 turn them off. PPTP may have a weakness that will put an attacker on your network, by passing some firewall rules. PPTP is generally not considered secure anymore anyway, although I don't have any details at hand, and again, my info is all very old. A quick google for port 20,000 show up a possibility that this is Usermin, some derivative of Webmin, and if so you should really block access to this. I should say this again - if you are not using these extra services turn them off! It will not look good if some pen tester breaks in here and is then able to say the setup is insecure, despite this having no relation to Moodle itself. The department wont want to understand this difference and any attempts to justify that this is not necessarily insecure but is related to your network security, not your application security will fall on deaf ears since they have a report with a lot of jargon and the words insecure on it, especially if the whole thing is politically charged as you say it is. Anyway, that's my 2c, good luck! On Sun, Nov 1, 2009 at 8:58 AM, Rick Phillips wrote: > > Just of out of interest, what kind of server are you talking about ? > > > > It's a CentOS 5.4 box. Briefly, we have been running this server for 5 > years principally to serve learning materials to students. Initially, > the server was sanctioned by the Education Department and it has grown > in usefulness and reliability and contrary to the official LMS run by > the department, is very easy to use. We run Moodle which is free, they > run Blackboard, which is not. The success of our Moodle is proving to > be of some embarrassment to them now as other schools are pushing for a > similar situation as our own and now they want our service closed down. > They claim that our server is a security risk because it connects to the > inside network as well as the outside network. Each connected network > uses a different range of addresses which are unbridged. A firewall > allowing only one way traffic protects the inside network to the server. > ie. the Moodle server cannot initiate any call on the inside network - > it is blocked. Only calls coming the other way can be serviced. Only > the following ports are open to the world plus one secret non standard > one for administration via ssh: > > 80/tcp open http > 443/tcp open https > 1723/tcp open pptp > 2000/tcp open callbook > > Ports 1723 and 2000 are not specifically opened by myself but seem to be > factory set open in the firewall device and out of my control. Only 80 > and 443 point to the server which sends but does not receive mail. > Using hosts allow and deny, connection is restricted to my private IP > address for external admin purposes via ssh. Both passwords are complex > and root logon is not allowed. > > I believe that we are well locked down but that does not mean that some > form of code injection might not be possible. The system is religiously > patched as soon as patches are available and I read the detailed logs > daily. I run a rootkit detection program from time to time. > > The department is employing a "white hat" to do a penetration test at > the end of this month and we thought it would be better to be fore > armed. This LMS is very important to us and has significantly helped > our student base lift their average results to be near the top for the > state. They have guided learning available to them both at home and at > school. We would hate that one mistake on my part would give the > department the excuse they need to shut us down. > > We know there is money involved and we are looking for a trustworthy > company or individual to do the job witho
Re: LTS worth anything? (was: Re: [SLUG] Announcement roundup from October meeting)
2009/11/1 Robert Collins : > https://wiki.ubuntu.com/LTS > > To get the LTS updated a 'stable release update' is needed - SRU: > https://wiki.ubuntu.com/StableReleaseUpdates. When an individual fix is > backported its called an SRU - see below for 'backports', which is a > whole other thing. Thanks for the terminology lesson. "Ubuntu SRU" seems to be pretty equivalent to "Backport" in the RHEL/CentOS world. I.E. get the same version as before but with the bug fixed. > >> > - backports are available if you want newer packages on a per package >> > basis. >> >> "Backporting", in the definitions I'm familiar with (e.g. RHEL), is to >> fix an OLDER version which is current in a supported release, not an >> upgrade to a later version of the software. > > In Debian/Ubuntu 'backports' (NOT BackportING) is a collection of newer > packages built as much as possible against an older release. > https://help.ubuntu.com/community/UbuntuBackports I know about debian backports, used to use them back when Debian was my OS of choice. They were officially unsupported and at first even not hosted on Debian servers. That's not what I mean by "backporting" in the RHEL/CentOS sense. Cheers, --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Penetration Test
The department is employing a "white hat" to do a penetration test at the end of this month and we thought it would be better to be fore armed. This LMS is very important to us and has significantly helped our student base lift their average results to be near the top for the state. They have guided learning available to them both at home and at school. We would hate that one mistake on my part would give the department the excuse they need to shut us down. Is the person doing a penetration test or a policy style test? IE will they be given any physical access to the box or are they the same as everybody outside. If they are coming from outside then you should be pretty safe. (they should get the same done against their other system as well just because I have used blackboard as a student and it sucked donkey "parts", so if you can kill it so much the better ;->) -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Penetration Test
Daniel, > First, let me say that I am sorry you didn't appreciate the response, and the > implied criticism of your plan. It was absolutely not my intention to offend, > but rather to continue to question my own assumptions in the face of someone > who disagreed with me. > > I regret that my statements came across poorly, and left you feeling unhappy. > > Nothing I have seen on the list that you said has made me the slightest bit unhappy. Your comments are worthwhile and I appreciate them. Amin made a comment last night which he later apologised for. Apparently some drunken mate had his iPhone. The message did not make it to the list - I thought it had - so you would not have seen it. I will leave it to your imagination as to what it inferred. I have a several occasions advised the department of our configuration and security configuration but unfortunately, teachers get promoted into technical positions and they freely admit they haven't a clue about what I am saying. That adds to my difficulties as you can imagine and one has to wonder what sort of technology decisions they are making. A colleague of mine is helping me craft some IPtables which with further tighten the internal one way mirror which currently lets the internal network open access to the server. We are going to allow only ports 80 and 22 to access the server from inside and as he represents the manufacturer of the firewall appliance (ePipe) we use, he will assist me to turn off the factory opened ports (1723 and 2000). I believe that when we make these changes, the system will be very tight and as we use only pre-built software (Moodle, Joomla, Meeting Room Booking Service and Gallery) which I keep very much up to date, we should be OK. The Gallery is only viewable from inside the school because of privacy issues. Thanks again for your very valuable input and my apologies if I insinuated that you had upset me. It was a reference to another's comments (see above). Regards, Rick -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Penetration Test
db writes: G'day DB. > Daniel um ... ok. I don't see how a security audit is any different to any > other(audit). Audits should be done. Absolutely. We are in complete agreement here. Now I just have one last question, to help me understand what you are trying to say: what do security audits have to do with penetration testing? Perhaps this is just me, though. Maybe I am using the terms wrong or something: My experience, to date, is that "penetrating testing" means that someone comes along with their toolset and tries to break into the server. Usually, "knocking on the door" of services, scanning for known vulnerabilities, checking for weak passwords, that sort of thing. What it *doesn't* include is any real degree of looking inside the system. No auditing of your password policies, or your system configuration. No checks on how you handle privilege separation. Penetration testing is all about having someone run tests on the "black box" system to see if they can find any security issues. A "security audit", on the other hand, is very "white box": you pay someone to come along, systematically look at every aspect of the system, compare it to your documented plan for maintaining security, then report on how you did in practice compared to theory. Based on those definitions I see the two of them as quite distinct tasks, and one of them as much more valuable. :) Daniel -- ✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons Looking for work? Love Perl? In Melbourne, Australia? We are hiring. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Penetration Test
Rick Phillips writes: >> Just of out of interest, what kind of server are you talking about ? > > Briefly, we have been running this server for 5 years principally to serve > learning materials to students. Initially, the server was sanctioned by the > Education Department and it has grown in usefulness and reliability and > contrary to the official LMS run by the department, is very easy to use. We > run Moodle which is free, they run Blackboard, which is not. The success of > our Moodle is proving to be of some embarrassment to them now as other > schools are pushing for a similar situation as our own and now they want our > service closed down. [...] > The department is employing a "white hat" to do a penetration test at the > end of this month and we thought it would be better to be fore armed. That seems a reasonable approach to me, although I would generally prefer to rely on security auditing and design to prepare for such events. Certainly, my general experience when faced with that sort of situation is that checking our risk assessments, and doing an internal audit of the system against that, was very effective. [...] > We know there is money involved and we are looking for a trustworthy > company or individual to do the job without destroying our server and > who will advise us where our weaknesses, if any, lie. > > Perhaps I am being naive and simplistic in my approach. > > This is a serious matter for us and I certainly didn't appreciate last > night's reply to the list. I am going to presume you are referring to my comments here, because there isn't much harm if I don't. First, let me say that I am sorry you didn't appreciate the response, and the implied criticism of your plan. It was absolutely not my intention to offend, but rather to continue to question my own assumptions in the face of someone who disagreed with me. I regret that my statements came across poorly, and left you feeling unhappy. Secondly, in light of the situation this seems to be a reasonable strategy: if you know that you are going to be penetration tested then, indeed, getting someone professional and external to do a penetration test is going to give you some useful information.[1] I would strongly advise that you couple your penetration test with a serious security and risk assessment, though: they cover very different ground. It is also my experience that when you face a social problem — like the other folks trying to get you shut down — having a serious technical risk assessment document, and a security plan, and proof that you internally audit against those documents is a *very* valuable addition. I suggest that in addition to passing this present technical challenge you need to be working to produce details that help you prove to the department that you are secure, and that you have considered the issues, *without* them needing to go to the trouble of actually testing you. I can't say that with certainly, obviously — I don't work with, or for, the NSW department of education. I can say that in similar situations, including dealing with similar government departments down in Victoria, those social strategies have worked effectively for me in the past. Regards, Daniel Footnotes: [1] I am still not convinced the department are making the right decision in their approach to the situation, but in the context... -- ✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons Looking for work? Love Perl? In Melbourne, Australia? We are hiring. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html