RE: Cracking attempt
Thanks everyone. -Tim PRE ##--##--##--##--##--##--##--##--##--##--##--##--## | T I MS P R I G G S | |Assistant Sysadmin - Development| |College of Engineering and Mines| |ECE206A - (520) 621-3185| ##--##--##--##--##--##--##--##--##--##--##--##--## /PRE On Tue, 25 Feb 2003, Stefaan Teerlinck wrote: There are also cheap ($100) NAT routers / firewalls available like D-Link or Netgear if you don't need a speed 10Mbps You'll have to spend $100, but it won't consume you time, it takes a lot less space, and it will consume a lot less electricity. -Oorspronkelijk bericht- Van: Craig Sanders [mailto:[EMAIL PROTECTED] Verzonden: dinsdag 25 februari 2003 1:38 Aan: Tim Spriggs CC: debian-isp@lists.debian.org Onderwerp: Re: Cracking attempt On Mon, Feb 24, 2003 at 06:08:43AM -0700, Tim Spriggs wrote: What OS are you using? Presumably if it was Linux you would have solved the problem with iptables or ipchains long ago... Solaris 9 :( It does have some firewalling software but caused some major conflicts at one point with no config and honestly, I and one other person are pushing to get a firewall and seperation of tasks on different machines. The way this thing sits right now I'd be un-surprised if someone with an hour of spare time and a little talent could get in and fuck a _LOT_ up. here's a quick-and-dirty (and cheap!) temporary solution: get an old 386/486/pentium box - there should be several gathering dust at any university. put two ethernet cards in it, and install linux (any debian with kernel 2.4.x) on the machine and configure it as a NAT firewall. plug one NIC into your network, and use a crossover cable to connect the other NIC to your solaris box. in short, what this will do is take the solaris box off the external network and put it on a second (private) network. DNAT on the linux box will allow authorised machines to connect to it and SNAT allows the solaris box to get out. if you configure the NAT stuff right, the change will be completely transparent to all users. it's pretty ugly, but it will work...and it's something you can do without spending any money or asking permission (remember it's always easier to get forgiveness than permission :). if anyone ever notices and complains, you can justify it by saying you had no choice. you had to protect the server and the backups it contained but had no budget to do it with. alternatively, build the linux box but put it between your external router and your main network. there's no need for NAT in this setup, just plain routing and iptables firewalling rules. a third alternative, (which may or may not be viable, depending on what kind of border router you have and how your network is set up) is to replace the router with the linux box. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
On Mon, 24 Feb 2003, Russell Coker wrote: On Mon, 24 Feb 2003 07:38, Jason Lim wrote: Usually if we get such a report, we'll inform the client of their actions. Most times that discourages them from doing it. In any case it's a service to your client - who is the one paying you. It always amazes me that people on the net expect you to take their side against one of your clients for something innocent like a bit of portscanning! unless someone is REALLY repeatedly hammering a server. Then if no action is taken we may even block them at the router/switch level. That's the only thing to do, if someone is excessively scanning you then you block their IP addresses for a while. Of course you can't be too trigger happy with this or you'll end up with half the Internet in your firewall rule set... In the defense of the ballistic person that is complaining about the portscan, one of our servers is running a backup server that dies with no error/warning when the server is portscanned. Unfortunately, our servers can not be put behind a firewall as funding is at an all time low. This is a very inconvenient feature and the company that provides the backup server will do nothing about it so we have to manually restart the deamon from time to time because we were (innocently) portscanned. I guess my point is that there can be some wierd side-effects to obscure things that portscans/other non-normal network behaviour can create. However I will still side with you on the fact that abnormal behaviour should be handled and discarded by the software. Oh well. My two cents worth. -Tim -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
Good point. The only other problem is that our department is looking for ways to cut back and so asking for _anything_ to my immediate superiors seems risky in their eyes. Certainly there are people on their level in other departments who wholeheartedly agree with me and even the people right above me to a degree but stuff seems to be flying left and right as people do not want to lose their jobs. Hmm, maybe I should dedicate a box of my own so I don't lose mine? :) Anywho, I appreciate the concern and I do realize what a mess this entire thing is. If it were solely up to me I would have a linux firewall that routed all ssh/mail/other user services to a single box and then keep all of the system level crap on another (such as our LDAP server and backup client). As of right now, I can think of way too many ways that this thing is holier than the pope's golf clubs. -Tim PRE ##--##--##--##--##--##--##--##--##--##--##--##--## | T I MS P R I G G S | |Assistant Sysadmin - Development| |College of Engineering and Mines| |ECE206A - (520) 621-3185| ##--##--##--##--##--##--##--##--##--##--##--##--## /PRE On Mon, 24 Feb 2003, Emile van Bergen wrote: Hi, On Mon, Feb 24, 2003 at 06:08:43AM -0700, Tim Spriggs wrote: On Mon, 24 Feb 2003, Russell Coker wrote: BTW As a rule of thumb, if you can crash it then you can probably exploit it, I hope that server isn't running as root. I realize that too. Unfortunately, Universities (at least around here) tend to be VERY political and getting something like linux as a main college server in place would be making waves with the type of people that run the money upstairs. Just rest assured that a non-firewalled box containing backups will make a /lot/ more waves upstairs when (sic!) it gets cracked. You don't need to push Linux, you just need to explain the current risks, their cost and what it costs to implement a solution (be it Debian or Windows-95 based, ultimately they won't care), and the risks associated with that. Even the people upstairs have their gut feelings or prejudices about things they don't understand -- and we all know how hard that can make things -- they do tend to be sensitive to talks that mention well founded estimates of risks and costs. Cheers, Emile. -- E-Advies / Emile van Bergen | [EMAIL PROTECTED] tel. +31 (0)70 3906153| http://www.e-advies.info -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]