[Aha, a list version] On Tue, Aug 31, 2004 at 03:18:06PM +0300, [EMAIL PROTECTED] wrote: > Matthew Palmer wrote: > > >Put up at http://www.hezmatt.org/~mpalmer/talks/2004/security-slug/, please > >be gentle with my ADSL link. > > > >- Matt > > > > > > > Thanks for putting this up. > > 1. About remote port scanning - there are probably other services people > here can > recommend, but one which I am aware of and trust is GRC's "ShieldsUP" > service at > https://www.grc.com/x/ne.dll?bh0bkyd2 (hope this link works, if not the > go to the root and dig > from there). This is of course useful when you don't have a remote > machine to scan from.
First rule: always have a remote machine to scan from. <grin>
> 2. For checking which files were modified - I think I saw some "debian
> package checksum
> checkers" around - is there anything useful already? How useful is the
That would be debsums, I think. Useful as far as it goes, but on an already
compromised machine, it's of limited utility, because the checker, the sums
database, or anything underlying either could have been compromised. You
can take the system off-line and run from known, trusted sources, but you're
3/4 of the way to re-installing by that point, and you still can't be sure
that something hasn't been *added* to the system you don't know about.
> free version of
> "electric fence"?
The electric fence I know is a buffer overrun checker.
> 3. logwatch (has a debian package) mails me every day what happened in
> my logs, helps keep a casual eye on my logs without having to rummage
> through them
> every day.
Again, mentioned in the talk, but worth mentioning again -- I've also seen
recent talk of a real-time log analyser, which would be of particular
interest if you had some sort of SMS or pager alert system available.
> 4. You might call this "security through obscurity" but I've grown tired
> of my apache/ssh/imaps
> ports being scanned dozens of times per hour so I moved them to
> non-conventional ones and
> reduced the load practically to zero. I'm aware this is not practical
> for public HTTP server but
> it might help a bit with the other services. Lesser noise helps find
> actual attacks.
Definite security by obscurity. I'm surprised it's not more common, but I
know many proxy scanners will automatically try some/many other ports,
looking for "protocol signatures" (ie throw a simple HTTP/1.0 request at it
and see if it goes "poing", or see if the first three characters sent
straight after connection are '220'). This could easily be extended to
arbitrary port scanning to find open ports, then this sort of
protocol-signature scanning to find, say, the port you happen to have left
your SSH server on.
Basically, it's probably an effective technique to keep yourself out of the
"really low-hanging fruit" market, but certainly don't give it too many
points in your risk mitigation assessment.
> I'd be glad to hear what people think about these tools and practices
> what else can I do to protect
> my home machine (which is connected 24/7 through ADSL).
If you can afford it, a second box to act purely as a firewall / router
(preferably transparent) is an *excellent* idea. It won't necessarily stop
the rodents, but it'll certainly slow 'em down a lot.
I wonder if a talk on how to conduct a thorough risk assessment might be a
useful follow-on from this topic. Anyone care to put their hand up?
> (An old anecdote - I used to take part in a tiny ISP about a decade ago
> and though "oh - we are tiny, who the hell is going to bother with us?"
That's firmly in the category of famous last words. The thing to remember
is that, until you're deep into "Large Corporation" territory, crackers
aren't after you for brand recognition, they're more after your boxes as
another plaything or spam/DoS zombie. In that sense, *every* box on the
Internet is an equal target. You don't get cracked because you're a big
company, you get cracked because you *can* be cracked.
> and we were owned for a long
> time with not much luck getting
> rid of the owner. Lesson - it will happen to ANYTHING connected to the
> net, no exceptions what so
> ever).
Amen.
- Matt
(Hmm, good sigmonster -- I've had two RAM sticks go dead in the past week,
and POST passed them both)
--
"You could wire up a dead rat to a DIMM socket and the PC BIOS memory test
would pass it just fine."
-- Ethan Benson
signature.asc
Description: Digital signature
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
