RE: Cracking attempt
Thanks everyone. -Tim < PRE > ##--##--##--##--##--##--##--##--##--##--##--##--## | T I MS P R I G G S | |Assistant Sysadmin - Development| |College of Engineering and Mines| |ECE206A - (520) 621-3185| ##--##--##--##--##--##--##--##--##--##--##--##--## On Tue, 25 Feb 2003, Stefaan Teerlinck wrote: > There are also cheap ($100) NAT routers / "firewalls" available like > D-Link or Netgear if you don't need a speed > 10Mbps > You'll have to spend $100, but it won't consume you time, it takes a lot > less space, and it will consume a lot less electricity. > > > -Oorspronkelijk bericht- > > Van: Craig Sanders [mailto:[EMAIL PROTECTED] > > Verzonden: dinsdag 25 februari 2003 1:38 > > Aan: Tim Spriggs > > CC: debian-isp@lists.debian.org > > Onderwerp: Re: Cracking attempt > > > > > > On Mon, Feb 24, 2003 at 06:08:43AM -0700, Tim Spriggs wrote: > > > > What OS are you using? Presumably if it was Linux you would have > > > > solved the problem with iptables or ipchains long ago... > > > > > > Solaris 9 :( It does have some firewalling software but caused some > > > major conflicts at one point with no config and honestly, I and one > > > other person are pushing to get a firewall and seperation > > of tasks on > > > different machines. The way this thing sits right now I'd be > > > un-surprised if someone with an hour of spare time and a > > little talent > > > could get in and fuck a _LOT_ up. > > > > here's a quick-and-dirty (and cheap!) temporary solution: > > > > get an old 386/486/pentium box - there should be several > > gathering dust > > at any university. put two ethernet cards in it, and install > > linux (any > > debian with kernel 2.4.x) on the machine and configure it as a NAT > > firewall. plug one NIC into your network, and use a > > crossover cable to > > connect the other NIC to your solaris box. > > > > in short, what this will do is take the solaris box off the external > > network and put it on a second (private) network. DNAT on > > the linux box > > will allow authorised machines to connect to it and SNAT allows the > > solaris box to get out. > > > > if you configure the NAT stuff right, the change will be completely > > transparent to all users. > > > > it's pretty ugly, but it will work...and it's something you can do > > without spending any money or asking permission (remember it's always > > easier to get forgiveness than permission :). > > > > if anyone ever notices and complains, you can justify it by saying you > > had no choice. you had to protect the server and the backups it > > contained but had no budget to do it with. > > > > > > alternatively, build the linux box but put it between your external > > router and your main network. there's no need for NAT in this setup, > > just plain routing and iptables firewalling rules. > > > > > > a third alternative, (which may or may not be viable, > > depending on what > > kind of border router you have and how your network is set up) is to > > replace the router with the linux box. > > > > craig > > > > -- > > craig sanders <[EMAIL PROTECTED]> > > > > Fabricati Diem, PVNC. > > -- motto of the Ankh-Morpork City Watch > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > >
RE: Cracking attempt
Thanks everyone. -Tim < PRE > ##--##--##--##--##--##--##--##--##--##--##--##--## | T I MS P R I G G S | |Assistant Sysadmin - Development| |College of Engineering and Mines| |ECE206A - (520) 621-3185| ##--##--##--##--##--##--##--##--##--##--##--##--## On Tue, 25 Feb 2003, Stefaan Teerlinck wrote: > There are also cheap ($100) NAT routers / "firewalls" available like > D-Link or Netgear if you don't need a speed > 10Mbps > You'll have to spend $100, but it won't consume you time, it takes a lot > less space, and it will consume a lot less electricity. > > > -Oorspronkelijk bericht- > > Van: Craig Sanders [mailto:[EMAIL PROTECTED] > > Verzonden: dinsdag 25 februari 2003 1:38 > > Aan: Tim Spriggs > > CC: [EMAIL PROTECTED] > > Onderwerp: Re: Cracking attempt > > > > > > On Mon, Feb 24, 2003 at 06:08:43AM -0700, Tim Spriggs wrote: > > > > What OS are you using? Presumably if it was Linux you would have > > > > solved the problem with iptables or ipchains long ago... > > > > > > Solaris 9 :( It does have some firewalling software but caused some > > > major conflicts at one point with no config and honestly, I and one > > > other person are pushing to get a firewall and seperation > > of tasks on > > > different machines. The way this thing sits right now I'd be > > > un-surprised if someone with an hour of spare time and a > > little talent > > > could get in and fuck a _LOT_ up. > > > > here's a quick-and-dirty (and cheap!) temporary solution: > > > > get an old 386/486/pentium box - there should be several > > gathering dust > > at any university. put two ethernet cards in it, and install > > linux (any > > debian with kernel 2.4.x) on the machine and configure it as a NAT > > firewall. plug one NIC into your network, and use a > > crossover cable to > > connect the other NIC to your solaris box. > > > > in short, what this will do is take the solaris box off the external > > network and put it on a second (private) network. DNAT on > > the linux box > > will allow authorised machines to connect to it and SNAT allows the > > solaris box to get out. > > > > if you configure the NAT stuff right, the change will be completely > > transparent to all users. > > > > it's pretty ugly, but it will work...and it's something you can do > > without spending any money or asking permission (remember it's always > > easier to get forgiveness than permission :). > > > > if anyone ever notices and complains, you can justify it by saying you > > had no choice. you had to protect the server and the backups it > > contained but had no budget to do it with. > > > > > > alternatively, build the linux box but put it between your external > > router and your main network. there's no need for NAT in this setup, > > just plain routing and iptables firewalling rules. > > > > > > a third alternative, (which may or may not be viable, > > depending on what > > kind of border router you have and how your network is set up) is to > > replace the router with the linux box. > > > > craig > > > > -- > > craig sanders <[EMAIL PROTECTED]> > > > > Fabricati Diem, PVNC. > > -- motto of the Ankh-Morpork City Watch > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > > [EMAIL PROTECTED] > > > > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
Good point. The only other problem is that our department is looking for ways to cut back and so asking for _anything_ to my immediate superiors seems risky in their eyes. Certainly there are people on their level in other departments who wholeheartedly agree with me and even the people right above me to a degree but stuff seems to be flying left and right as people do not want to lose their jobs. Hmm, maybe I should dedicate a box of my own so I don't lose mine? :) Anywho, I appreciate the concern and I do realize what a mess this entire thing is. If it were solely up to me I would have a linux firewall that routed all ssh/mail/other user services to a single box and then keep all of the system level crap on another (such as our LDAP server and backup client). As of right now, I can think of way too many ways that this thing is holier than the pope's golf clubs. -Tim < PRE > ##--##--##--##--##--##--##--##--##--##--##--##--## | T I MS P R I G G S | |Assistant Sysadmin - Development| |College of Engineering and Mines| |ECE206A - (520) 621-3185| ##--##--##--##--##--##--##--##--##--##--##--##--## On Mon, 24 Feb 2003, Emile van Bergen wrote: > Hi, > > On Mon, Feb 24, 2003 at 06:08:43AM -0700, Tim Spriggs wrote: > > > On Mon, 24 Feb 2003, Russell Coker wrote: > > > > > BTW As a rule of thumb, if you can crash it then you can probably > > > exploit it, I hope that server isn't running as root. > > > > I realize that too. Unfortunately, Universities (at least around here) > > tend to be VERY political and getting something like linux as a main > > college server in place would be "making waves" with the type of > > people that run the money upstairs. > > Just rest assured that a non-firewalled box containing backups will make > a /lot/ more waves upstairs when (sic!) it gets cracked. > > You don't need to push Linux, you just need to explain the current > risks, their cost and what it costs to implement a solution (be it > Debian or Windows-95 based, ultimately they won't care), and the risks > associated with that. > > Even the people upstairs have their gut feelings or prejudices about > things they don't understand -- and we all know how hard that can make > things -- they do tend to be sensitive to talks that mention well > founded estimates of risks and costs. > > Cheers, > > > Emile. > > -- > E-Advies / Emile van Bergen | [EMAIL PROTECTED] > tel. +31 (0)70 3906153| http://www.e-advies.info > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
On Mon, 24 Feb 2003, Russell Coker wrote: > On Mon, 24 Feb 2003 10:59, Tim Spriggs wrote: > > > That's the only thing to do, if someone is excessively scanning you then > > > you block their IP addresses for a while. Of course you can't be too > > > trigger happy with this or you'll end up with half the Internet in your > > > firewall rule set... > > > > In the defense of the ballistic person that is complaining about the > > portscan, one of our servers is running a backup server that dies with no > > error/warning when the server is portscanned. Unfortunately, our servers > > can not be put behind a firewall as funding is at an all time low. > > !?!?!? > > Firstly having a backup server on a public IP address is just asking for > trouble. Yes, I know. > > What OS are you using? Presumably if it was Linux you would have solved the > problem with iptables or ipchains long ago... Solaris 9 :( It does have some firewalling software but caused some major conflicts at one point with no config and honestly, I and one other person are pushing to get a firewall and seperation of tasks on different machines. The way this thing sits right now I'd be un-surprised if someone with an hour of spare time and a little talent could get in and fuck a _LOT_ up. > > BTW As a rule of thumb, if you can crash it then you can probably exploit it, > I hope that server isn't running as root. I realize that too. Unfortunately, Universities (at least around here) tend to be VERY political and getting something like linux as a main college server in place would be "making waves" with the type of people that run the money upstairs. Like I said, I'm pushing it. Debian has been an all-time favorite of mine since I left redhat at version 5.2/5.0 several years back. I'd love to put Linux on the machine and call it a day. For one, things compile MUCH easier. > > This is a very inconvenient feature and the company that provides the > > backup server will do nothing about it so we have to manually restart the > > deamon from time to time because we were (innocently) portscanned. > > That sucks. Napster clients used to do the same, but you couldn't complain > too much about free software that is used for unauthorised audio copying. ;) Yeah, but you can sure as hell complain about backup software that you BUY and then don't recieve technical support in any way without paying more and having a setup that barely works as it is. ~cough~ Veritas ~clears throught~ sorry... Just a little built up... The hardware is kinda fun though... Sun v880 with 4GB's of ram and 6 36GB Fiber Channel drives. On of the drives is dedicated to mirrors by the way. We have a debian/cpan/xfree86/sunfreeware mirror setup on the box for anyone that's in/around/close to Arizona. -Tim < PRE > ##--##--##--##--##--##--##--##--##--##--##--##--## | T I MS P R I G G S | |Assistant Sysadmin - Development| |College of Engineering and Mines| |ECE206A - (520) 621-3185| ##--##--##--##--##--##--##--##--##--##--##--##--## -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
On Mon, 24 Feb 2003, Russell Coker wrote: > On Mon, 24 Feb 2003 07:38, Jason Lim wrote: > > Usually if we get such a report, we'll inform the client of their actions. > > Most times that discourages them from doing it. > > In any case it's a service to your client - who is the one paying you. It > always amazes me that people on the net expect you to take their side against > one of your clients for something innocent like a bit of portscanning! > > > unless someone is REALLY repeatedly hammering a server. Then if no action > > is taken we may even block them at the router/switch level. > > That's the only thing to do, if someone is excessively scanning you then you > block their IP addresses for a while. Of course you can't be too trigger > happy with this or you'll end up with half the Internet in your firewall rule > set... In the defense of the ballistic person that is complaining about the portscan, one of our servers is running a backup server that dies with no error/warning when the server is portscanned. Unfortunately, our servers can not be put behind a firewall as funding is at an all time low. This is a very inconvenient feature and the company that provides the backup server will do nothing about it so we have to manually restart the deamon from time to time because we were (innocently) portscanned. I guess my point is that there can be some wierd side-effects to obscure things that portscans/other non-normal network behaviour can create. However I will still side with you on the fact that abnormal behaviour should be handled and discarded by the software. Oh well. My two cents worth. -Tim > > -- > http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages > http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark > http://www.coker.com.au/postal/Postal SMTP/POP benchmark > http://www.coker.com.au/~russell/ My home page > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
