Re: Cracking attempt
Hi All, c) i don't know about you, but i wouldn't be inclined to trust the security of a $100 consumer-grade firewall. I agree. Use a PC running SE Linux instead. ;) I would just like to add (to this already long thread but thats what I like about Debian-ISP) that an OpenBSD firewall in a bridging configuration makes for a good setup. This saves on IP addresses and provides added security due to the stealth nature of the firewall. One can also run Snort on it. And I might add the OpenBSD packet filter syntax is my favourite as far as writing firewall rules go. Cheers, Fred. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
Hi All, c) i don't know about you, but i wouldn't be inclined to trust the security of a $100 consumer-grade firewall. I agree. Use a PC running SE Linux instead. ;) I would just like to add (to this already long thread but thats what I like about Debian-ISP) that an OpenBSD firewall in a bridging configuration makes for a good setup. This saves on IP addresses and provides added security due to the stealth nature of the firewall. One can also run Snort on it. And I might add the OpenBSD packet filter syntax is my favourite as far as writing firewall rules go. Cheers, Fred.
Re: Cracking attempt
On Wed, 26 Feb 2003 07:33, Craig Sanders wrote: On Tue, Feb 25, 2003 at 07:19:09AM +0100, Stefaan Teerlinck wrote: There are also cheap ($100) NAT routers / firewalls available like D-Link or Netgear if you don't need a speed 10Mbps You'll have to spend $100, but it won't consume you time, it takes a lot less space, and it will consume a lot less electricity. linux gives you a lot of flexibility that a cheap router just can't provide. IMO IME, more flexibility than even a top-end commercial router provides. Also it should be noted that even IF your dedicated router device provides exactly the same functionality as Linux for routing, it's still an extra device you have to administer. Remembering the syntax of both ipchains and iptables for my regular Linux work is enough effort for me, I don't want to memorise yet another set of configuration. c) i don't know about you, but i wouldn't be inclined to trust the security of a $100 consumer-grade firewall. I agree. Use a PC running SE Linux instead. ;) -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
On Tue, Feb 25, 2003 at 07:19:09AM +0100, Stefaan Teerlinck wrote: There are also cheap ($100) NAT routers / firewalls available like D-Link or Netgear if you don't need a speed 10Mbps You'll have to spend $100, but it won't consume you time, it takes a lot less space, and it will consume a lot less electricity. yes, that's true...but: a) $100 is a lot more than recycling an old desktop machine (free) b) $100 routers are toys with very limited capabilities and very limited configurability. if what you want to do matches exactly what the menu options allow for, then they're OK. if not, then they're basically useless. linux gives you a lot of flexibility that a cheap router just can't provide. IMO IME, more flexibility than even a top-end commercial router provides. c) i don't know about you, but i wouldn't be inclined to trust the security of a $100 consumer-grade firewall. i know from personal experience that some of dlink's cheaper products have gaping security holes (e.g. the DWL-900AP+ wireless AP has a flaw which allows anyone to flash upgrade it over the wireless interface) d) if size and power consumption is an issue, better to spend $200-$250 USD on something like a soekris net4511 board (an SBC with several ethernet interfaces, mini-PCI, and 2 PCMCIA slots - they make pretty good routers, and the PCMCIA slots make them almost ideal for mast-mounted wireless access points) and install linux on it. craig ps: yes, i have a dlink DWL-900AP+ mounted in a box (and powered by 12v AC over the ethernet cable, regulated to DC) on the mast on my roof. i'm thinking of replacing it with a soekris board. or maybe a standard desktop pc in the roof plus about 12 metres of LMR-400 cable to the top of the mast. my main problem with the dlink is that it has no routing capability, and almost no diagnostic abilitiesit's a black box that doesn't let you find out what is going on. with a linux box i could run kismet or airsnort or even tcpdump to help diagnose problems. which is another reason why linux boxes are superior to commercial routers - linux, like any unix, has available an enormous swag of useful tools. -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch
Re: Cracking attempt
On Wed, 26 Feb 2003 07:33, Craig Sanders wrote: On Tue, Feb 25, 2003 at 07:19:09AM +0100, Stefaan Teerlinck wrote: There are also cheap ($100) NAT routers / firewalls available like D-Link or Netgear if you don't need a speed 10Mbps You'll have to spend $100, but it won't consume you time, it takes a lot less space, and it will consume a lot less electricity. linux gives you a lot of flexibility that a cheap router just can't provide. IMO IME, more flexibility than even a top-end commercial router provides. Also it should be noted that even IF your dedicated router device provides exactly the same functionality as Linux for routing, it's still an extra device you have to administer. Remembering the syntax of both ipchains and iptables for my regular Linux work is enough effort for me, I don't want to memorise yet another set of configuration. c) i don't know about you, but i wouldn't be inclined to trust the security of a $100 consumer-grade firewall. I agree. Use a PC running SE Linux instead. ;) -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
Re: Cracking attempt
On Tue, Feb 25, 2003 at 07:19:09AM +0100, Stefaan Teerlinck wrote: There are also cheap ($100) NAT routers / firewalls available like D-Link or Netgear if you don't need a speed 10Mbps You'll have to spend $100, but it won't consume you time, it takes a lot less space, and it will consume a lot less electricity. yes, that's true...but: a) $100 is a lot more than recycling an old desktop machine (free) b) $100 routers are toys with very limited capabilities and very limited configurability. if what you want to do matches exactly what the menu options allow for, then they're OK. if not, then they're basically useless. linux gives you a lot of flexibility that a cheap router just can't provide. IMO IME, more flexibility than even a top-end commercial router provides. c) i don't know about you, but i wouldn't be inclined to trust the security of a $100 consumer-grade firewall. i know from personal experience that some of dlink's cheaper products have gaping security holes (e.g. the DWL-900AP+ wireless AP has a flaw which allows anyone to flash upgrade it over the wireless interface) d) if size and power consumption is an issue, better to spend $200-$250 USD on something like a soekris net4511 board (an SBC with several ethernet interfaces, mini-PCI, and 2 PCMCIA slots - they make pretty good routers, and the PCMCIA slots make them almost ideal for mast-mounted wireless access points) and install linux on it. craig ps: yes, i have a dlink DWL-900AP+ mounted in a box (and powered by 12v AC over the ethernet cable, regulated to DC) on the mast on my roof. i'm thinking of replacing it with a soekris board. or maybe a standard desktop pc in the roof plus about 12 metres of LMR-400 cable to the top of the mast. my main problem with the dlink is that it has no routing capability, and almost no diagnostic abilitiesit's a black box that doesn't let you find out what is going on. with a linux box i could run kismet or airsnort or even tcpdump to help diagnose problems. which is another reason why linux boxes are superior to commercial routers - linux, like any unix, has available an enormous swag of useful tools. -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Cracking attempt
There are also cheap ($100) NAT routers / firewalls available like D-Link or Netgear if you don't need a speed 10Mbps You'll have to spend $100, but it won't consume you time, it takes a lot less space, and it will consume a lot less electricity. -Oorspronkelijk bericht- Van: Craig Sanders [mailto:[EMAIL PROTECTED] Verzonden: dinsdag 25 februari 2003 1:38 Aan: Tim Spriggs CC: debian-isp@lists.debian.org Onderwerp: Re: Cracking attempt On Mon, Feb 24, 2003 at 06:08:43AM -0700, Tim Spriggs wrote: What OS are you using? Presumably if it was Linux you would have solved the problem with iptables or ipchains long ago... Solaris 9 :( It does have some firewalling software but caused some major conflicts at one point with no config and honestly, I and one other person are pushing to get a firewall and seperation of tasks on different machines. The way this thing sits right now I'd be un-surprised if someone with an hour of spare time and a little talent could get in and fuck a _LOT_ up. here's a quick-and-dirty (and cheap!) temporary solution: get an old 386/486/pentium box - there should be several gathering dust at any university. put two ethernet cards in it, and install linux (any debian with kernel 2.4.x) on the machine and configure it as a NAT firewall. plug one NIC into your network, and use a crossover cable to connect the other NIC to your solaris box. in short, what this will do is take the solaris box off the external network and put it on a second (private) network. DNAT on the linux box will allow authorised machines to connect to it and SNAT allows the solaris box to get out. if you configure the NAT stuff right, the change will be completely transparent to all users. it's pretty ugly, but it will work...and it's something you can do without spending any money or asking permission (remember it's always easier to get forgiveness than permission :). if anyone ever notices and complains, you can justify it by saying you had no choice. you had to protect the server and the backups it contained but had no budget to do it with. alternatively, build the linux box but put it between your external router and your main network. there's no need for NAT in this setup, just plain routing and iptables firewalling rules. a third alternative, (which may or may not be viable, depending on what kind of border router you have and how your network is set up) is to replace the router with the linux box. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Cracking attempt
Thanks everyone. -Tim PRE ##--##--##--##--##--##--##--##--##--##--##--##--## | T I MS P R I G G S | |Assistant Sysadmin - Development| |College of Engineering and Mines| |ECE206A - (520) 621-3185| ##--##--##--##--##--##--##--##--##--##--##--##--## /PRE On Tue, 25 Feb 2003, Stefaan Teerlinck wrote: There are also cheap ($100) NAT routers / firewalls available like D-Link or Netgear if you don't need a speed 10Mbps You'll have to spend $100, but it won't consume you time, it takes a lot less space, and it will consume a lot less electricity. -Oorspronkelijk bericht- Van: Craig Sanders [mailto:[EMAIL PROTECTED] Verzonden: dinsdag 25 februari 2003 1:38 Aan: Tim Spriggs CC: debian-isp@lists.debian.org Onderwerp: Re: Cracking attempt On Mon, Feb 24, 2003 at 06:08:43AM -0700, Tim Spriggs wrote: What OS are you using? Presumably if it was Linux you would have solved the problem with iptables or ipchains long ago... Solaris 9 :( It does have some firewalling software but caused some major conflicts at one point with no config and honestly, I and one other person are pushing to get a firewall and seperation of tasks on different machines. The way this thing sits right now I'd be un-surprised if someone with an hour of spare time and a little talent could get in and fuck a _LOT_ up. here's a quick-and-dirty (and cheap!) temporary solution: get an old 386/486/pentium box - there should be several gathering dust at any university. put two ethernet cards in it, and install linux (any debian with kernel 2.4.x) on the machine and configure it as a NAT firewall. plug one NIC into your network, and use a crossover cable to connect the other NIC to your solaris box. in short, what this will do is take the solaris box off the external network and put it on a second (private) network. DNAT on the linux box will allow authorised machines to connect to it and SNAT allows the solaris box to get out. if you configure the NAT stuff right, the change will be completely transparent to all users. it's pretty ugly, but it will work...and it's something you can do without spending any money or asking permission (remember it's always easier to get forgiveness than permission :). if anyone ever notices and complains, you can justify it by saying you had no choice. you had to protect the server and the backups it contained but had no budget to do it with. alternatively, build the linux box but put it between your external router and your main network. there's no need for NAT in this setup, just plain routing and iptables firewalling rules. a third alternative, (which may or may not be viable, depending on what kind of border router you have and how your network is set up) is to replace the router with the linux box. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
On Mon, 24 Feb 2003, Russell Coker wrote: On Mon, 24 Feb 2003 07:38, Jason Lim wrote: Usually if we get such a report, we'll inform the client of their actions. Most times that discourages them from doing it. In any case it's a service to your client - who is the one paying you. It always amazes me that people on the net expect you to take their side against one of your clients for something innocent like a bit of portscanning! unless someone is REALLY repeatedly hammering a server. Then if no action is taken we may even block them at the router/switch level. That's the only thing to do, if someone is excessively scanning you then you block their IP addresses for a while. Of course you can't be too trigger happy with this or you'll end up with half the Internet in your firewall rule set... In the defense of the ballistic person that is complaining about the portscan, one of our servers is running a backup server that dies with no error/warning when the server is portscanned. Unfortunately, our servers can not be put behind a firewall as funding is at an all time low. This is a very inconvenient feature and the company that provides the backup server will do nothing about it so we have to manually restart the deamon from time to time because we were (innocently) portscanned. I guess my point is that there can be some wierd side-effects to obscure things that portscans/other non-normal network behaviour can create. However I will still side with you on the fact that abnormal behaviour should be handled and discarded by the software. Oh well. My two cents worth. -Tim -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
On Mon, 24 Feb 2003 10:59, Tim Spriggs wrote: That's the only thing to do, if someone is excessively scanning you then you block their IP addresses for a while. Of course you can't be too trigger happy with this or you'll end up with half the Internet in your firewall rule set... In the defense of the ballistic person that is complaining about the portscan, one of our servers is running a backup server that dies with no error/warning when the server is portscanned. Unfortunately, our servers can not be put behind a firewall as funding is at an all time low. !?!?!? Firstly having a backup server on a public IP address is just asking for trouble. What OS are you using? Presumably if it was Linux you would have solved the problem with iptables or ipchains long ago... BTW As a rule of thumb, if you can crash it then you can probably exploit it, I hope that server isn't running as root. This is a very inconvenient feature and the company that provides the backup server will do nothing about it so we have to manually restart the deamon from time to time because we were (innocently) portscanned. That sucks. Napster clients used to do the same, but you couldn't complain too much about free software that is used for unauthorised audio copying. ;) -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
It's a grey area ihmo. A portscan is just a nock on a appartment door, and just waiting whom is going to openup. Besides that, it's nothing more. And you can see this as annoying, nocking on someones door and then running like hell, but.. then again, no harm is done. In comparisin with a mail adress probe, wich I recive 30 times a day if I don't completly block a couple of hongarian and chinese ISP's, the domain is useless for any commercial form, and does harm me in a financial way if I realy don't do anything about it. So.. using the Spam probe to compare it with a port scan.. well, I would report the spam probe a couple of times if I have the feeling it would make a diffrence.. but still.. it can be a lot of work. Mark On Mon, Feb 24, 2003 at 02:59:38AM -0700, Tim Spriggs wrote: On Mon, 24 Feb 2003, Russell Coker wrote: On Mon, 24 Feb 2003 07:38, Jason Lim wrote: Usually if we get such a report, we'll inform the client of their actions. Most times that discourages them from doing it. In any case it's a service to your client - who is the one paying you. It always amazes me that people on the net expect you to take their side against one of your clients for something innocent like a bit of portscanning! unless someone is REALLY repeatedly hammering a server. Then if no action is taken we may even block them at the router/switch level. That's the only thing to do, if someone is excessively scanning you then you block their IP addresses for a while. Of course you can't be too trigger happy with this or you'll end up with half the Internet in your firewall rule set... In the defense of the ballistic person that is complaining about the portscan, one of our servers is running a backup server that dies with no error/warning when the server is portscanned. Unfortunately, our servers can not be put behind a firewall as funding is at an all time low. This is a very inconvenient feature and the company that provides the backup server will do nothing about it so we have to manually restart the deamon from time to time because we were (innocently) portscanned. I guess my point is that there can be some wierd side-effects to obscure things that portscans/other non-normal network behaviour can create. However I will still side with you on the fact that abnormal behaviour should be handled and discarded by the software. Oh well. My two cents worth. -Tim -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- -- Mark Lijftogt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
Hi, On Mon, Feb 24, 2003 at 06:08:43AM -0700, Tim Spriggs wrote: On Mon, 24 Feb 2003, Russell Coker wrote: BTW As a rule of thumb, if you can crash it then you can probably exploit it, I hope that server isn't running as root. I realize that too. Unfortunately, Universities (at least around here) tend to be VERY political and getting something like linux as a main college server in place would be making waves with the type of people that run the money upstairs. Just rest assured that a non-firewalled box containing backups will make a /lot/ more waves upstairs when (sic!) it gets cracked. You don't need to push Linux, you just need to explain the current risks, their cost and what it costs to implement a solution (be it Debian or Windows-95 based, ultimately they won't care), and the risks associated with that. Even the people upstairs have their gut feelings or prejudices about things they don't understand -- and we all know how hard that can make things -- they do tend to be sensitive to talks that mention well founded estimates of risks and costs. Cheers, Emile. -- E-Advies / Emile van Bergen | [EMAIL PROTECTED] tel. +31 (0)70 3906153| http://www.e-advies.info pgp0.pgp Description: PGP signature
Re: Cracking attempt
Good point. The only other problem is that our department is looking for ways to cut back and so asking for _anything_ to my immediate superiors seems risky in their eyes. Certainly there are people on their level in other departments who wholeheartedly agree with me and even the people right above me to a degree but stuff seems to be flying left and right as people do not want to lose their jobs. Hmm, maybe I should dedicate a box of my own so I don't lose mine? :) Anywho, I appreciate the concern and I do realize what a mess this entire thing is. If it were solely up to me I would have a linux firewall that routed all ssh/mail/other user services to a single box and then keep all of the system level crap on another (such as our LDAP server and backup client). As of right now, I can think of way too many ways that this thing is holier than the pope's golf clubs. -Tim PRE ##--##--##--##--##--##--##--##--##--##--##--##--## | T I MS P R I G G S | |Assistant Sysadmin - Development| |College of Engineering and Mines| |ECE206A - (520) 621-3185| ##--##--##--##--##--##--##--##--##--##--##--##--## /PRE On Mon, 24 Feb 2003, Emile van Bergen wrote: Hi, On Mon, Feb 24, 2003 at 06:08:43AM -0700, Tim Spriggs wrote: On Mon, 24 Feb 2003, Russell Coker wrote: BTW As a rule of thumb, if you can crash it then you can probably exploit it, I hope that server isn't running as root. I realize that too. Unfortunately, Universities (at least around here) tend to be VERY political and getting something like linux as a main college server in place would be making waves with the type of people that run the money upstairs. Just rest assured that a non-firewalled box containing backups will make a /lot/ more waves upstairs when (sic!) it gets cracked. You don't need to push Linux, you just need to explain the current risks, their cost and what it costs to implement a solution (be it Debian or Windows-95 based, ultimately they won't care), and the risks associated with that. Even the people upstairs have their gut feelings or prejudices about things they don't understand -- and we all know how hard that can make things -- they do tend to be sensitive to talks that mention well founded estimates of risks and costs. Cheers, Emile. -- E-Advies / Emile van Bergen | [EMAIL PROTECTED] tel. +31 (0)70 3906153| http://www.e-advies.info -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
On Mon, Feb 24, 2003 at 06:08:43AM -0700, Tim Spriggs wrote: What OS are you using? Presumably if it was Linux you would have solved the problem with iptables or ipchains long ago... Solaris 9 :( It does have some firewalling software but caused some major conflicts at one point with no config and honestly, I and one other person are pushing to get a firewall and seperation of tasks on different machines. The way this thing sits right now I'd be un-surprised if someone with an hour of spare time and a little talent could get in and fuck a _LOT_ up. here's a quick-and-dirty (and cheap!) temporary solution: get an old 386/486/pentium box - there should be several gathering dust at any university. put two ethernet cards in it, and install linux (any debian with kernel 2.4.x) on the machine and configure it as a NAT firewall. plug one NIC into your network, and use a crossover cable to connect the other NIC to your solaris box. in short, what this will do is take the solaris box off the external network and put it on a second (private) network. DNAT on the linux box will allow authorised machines to connect to it and SNAT allows the solaris box to get out. if you configure the NAT stuff right, the change will be completely transparent to all users. it's pretty ugly, but it will work...and it's something you can do without spending any money or asking permission (remember it's always easier to get forgiveness than permission :). if anyone ever notices and complains, you can justify it by saying you had no choice. you had to protect the server and the backups it contained but had no budget to do it with. alternatively, build the linux box but put it between your external router and your main network. there's no need for NAT in this setup, just plain routing and iptables firewalling rules. a third alternative, (which may or may not be viable, depending on what kind of border router you have and how your network is set up) is to replace the router with the linux box. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Cracking attempt
There are also cheap ($100) NAT routers / firewalls available like D-Link or Netgear if you don't need a speed 10Mbps You'll have to spend $100, but it won't consume you time, it takes a lot less space, and it will consume a lot less electricity. -Oorspronkelijk bericht- Van: Craig Sanders [mailto:[EMAIL PROTECTED] Verzonden: dinsdag 25 februari 2003 1:38 Aan: Tim Spriggs CC: [EMAIL PROTECTED] Onderwerp: Re: Cracking attempt On Mon, Feb 24, 2003 at 06:08:43AM -0700, Tim Spriggs wrote: What OS are you using? Presumably if it was Linux you would have solved the problem with iptables or ipchains long ago... Solaris 9 :( It does have some firewalling software but caused some major conflicts at one point with no config and honestly, I and one other person are pushing to get a firewall and seperation of tasks on different machines. The way this thing sits right now I'd be un-surprised if someone with an hour of spare time and a little talent could get in and fuck a _LOT_ up. here's a quick-and-dirty (and cheap!) temporary solution: get an old 386/486/pentium box - there should be several gathering dust at any university. put two ethernet cards in it, and install linux (any debian with kernel 2.4.x) on the machine and configure it as a NAT firewall. plug one NIC into your network, and use a crossover cable to connect the other NIC to your solaris box. in short, what this will do is take the solaris box off the external network and put it on a second (private) network. DNAT on the linux box will allow authorised machines to connect to it and SNAT allows the solaris box to get out. if you configure the NAT stuff right, the change will be completely transparent to all users. it's pretty ugly, but it will work...and it's something you can do without spending any money or asking permission (remember it's always easier to get forgiveness than permission :). if anyone ever notices and complains, you can justify it by saying you had no choice. you had to protect the server and the backups it contained but had no budget to do it with. alternatively, build the linux box but put it between your external router and your main network. there's no need for NAT in this setup, just plain routing and iptables firewalling rules. a third alternative, (which may or may not be viable, depending on what kind of border router you have and how your network is set up) is to replace the router with the linux box. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
On Sun, Feb 23, 2003 at 08:36:05PM -0600, Rod Rodolico wrote: Ok, the other day someone scanned the ports from 3102 to 3230 on my server. My firewall picked it up and told me about it. I have the originating IP, date/time, etc... Question: What do you suggest I do about it? I've already contacted the owner of the IP's (cox.net) but really don't know what they will do. I was torn between Gee, the firewall does work and I'd love to catch the sucker. Have no idea what they were looking for as services lists Interbase and Squid in that range. Suggestions? You mean to tell us that you got port scanned one time? I can't think of the last day when i wasn't port-scanned on all IP in my ranges. In my case they usually do it once. But if they come back and make a habit of it, then i make a file of their logged scans and send it to [EMAIL PROTECTED] with a note. Port-scanning - yet another waste of bandwidth. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Cracking attempt
Hi Rod, Usually if we get such a report, we'll inform the client of their actions. Most times that discourages them from doing it. If they do it repeatedly and to many different hosts/IPs, then obviously there is something going on and we act on that. But rarely would an ISP disconnect a server or such just for one or two complaints of this sort (especially since no actual hacking/cracking occurred). This reminds me of the Open Relay test. Some ISPs claimed it was illegal because they were intruding and testing their network for vulnerabilities. Others said that if you have a host on the internet, you can expect it to be a public system and thus accessed. Which is right, I don't know... but every day our servers and networks get probed at least hundreds of times. Rarely do we take action against the foreign/other ISP unless someone is REALLY repeatedly hammering a server. Then if no action is taken we may even block them at the router/switch level. Hope that helps. Jason http://www.zentek-international.com/ - Original Message - From: Rod Rodolico [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, 24 February, 2003 10:36 AM Subject: Cracking attempt Ok, the other day someone scanned the ports from 3102 to 3230 on my server. My firewall picked it up and told me about it. I have the originating IP, date/time, etc... Question: What do you suggest I do about it? I've already contacted the owner of the IP's (cox.net) but really don't know what they will do. I was torn between Gee, the firewall does work and I'd love to catch the sucker. Have no idea what they were looking for as services lists Interbase and Squid in that range. Suggestions? Rod -- 1.79 x 10^12 furlongs per fortnight -- it's not just a good idea, it's the law! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]