Nessus Webmin Security Questions
Hi guys, @ the moment I'm working on securing a web-server. I installed Nessus to know where to start from with the big problems. Seems like Nessus thinks that one of the biggest problem is webmin? Can anybody tell me some experiences? Is there a possibility to further restrict, or replace some parts of webmin (see text below)? I really would like to use it Also what's quite annoying, that Nessus says that *** Nessus reports this vulnerability using only *** information that was gathered. Use caution *** when testing without safe checks enabled. I've tried a lot of settings but it seems that I'm missing the safe checks, any idea where to find those? How can I REALLY stress webmin, to see if it's save? Of course I'm using the ssl variant :-)! Where is the check box for the safe checks O_o ? On the client side I use (don't hit me :-) NessusMX, the Wintendo Client, and on the server side the nessusd with version 1.2.7. I already searched the FAQ @ nessus.org. I did an upgrade on the plugins via /usr/sbin/nessus-update-plugins. But the warinings remain. Any help is greatly appreciated, Simmel That's what Nessus suggests, and there are even more :/ these are only High and Serious warnings (didn't copy the low ones) --snip--snip---snips nip- unknown (1/tcp) High It is possible to read any file on the remote system by prepending several dots before the file name. Example : GET ../config.sys Solution : Disable this service and install a real Web Server. Risk factor : High CVE : CVE-1999-0386 unknown (1/tcp) High The CGI /scripts/tools/newdsn.exe is present. This CGI allows any attacker to create files anywhere on your system if your NTFS permissions are not tight enough, and can be used to overwrite DSNs of existing databases. Solution : Remove newdsn.exe Risk factor : High CVE : CVE-1999-0191 unknown (1/tcp) High The 'nph-publish.cgi' is installed. This CGI has a well known security flaw that lets an attacker to execute arbitrary commands with the privileges of the http daemon (usually root or nobody). Solution : remove it from /cgi-bin. Risk factor : Serious CVE : CVE-1999-1177 unknown (1/tcp) High The 'webdist.cgi' cgi is installed. This CGI has a well known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody). *** Nessus reports this vulnerability using only *** information that was gathered. Use caution *** when testing without safe checks enabled. Solution : remove it from /cgi-bin. Risk factor : Serious CVE : CVE-1999-0039 unknown (1/tcp) High Some versions of the mini-sql program comes with a w3-msql CGI which is vulnerable to a buffer overflow. An attacker may use it to gain a shell on this system. *** Nessus reports this vulnerability using only *** information that was gathered. Use caution *** when testing without safe checks enabled. Solution : contact the vendor of mini-sql (http://hugues.com.au) and ask for a patch. Meanwhile, remove w3-msql from /cgi-bin Risk factor : High CVE : CVE-2000-0012 unknown (1/tcp) High The CGI 'ais' is installed. This CGI has a well known security flaw that lets an attacker execute arbitrary commands with the privileges of the http daemon (usually root or nobody). *** Nessus reports this vulnerability using only *** information that was gathered. Use caution *** when testing without safe checks enabled. Solution : remove it from /cgi-bin. Risk factor : Serious CVE : CAN-2001-0223 Risk factor : Serious CVE : CVE-1999-0951 unknown (1/tcp) High There may be a buffer overrun in the 'cgitest.exe' CGI program, which will allow anyone to execute arbitrary commands with the same privileges as the web server (root or nobody). *** Nessus reports this vulnerability using only *** information that was gathered. Use caution *** when testing without safe checks enabled. Solution : remove it from /cgi-bin. Risk factor : Serious CVE : CVE-2002-0128 unknown (1/tcp) High There may be buffer overflow in the remote cgi win-c-sample.exe. An attacker may use this flaw to execute arbitrary commands on this host. *** Nessus reports this vulnerability using only *** information that was gathered. Use caution *** when testing without safe checks enabled. Solution : delete it Risk factor : High CVE : CVE-1999-0178 unknown (1/tcp) High There may be a buffer overflow in the remote htimage.exe cgi when it is given the request : /cgi-bin/htimage.exe/[]AAA?0,0 An attacker may use it to execute arbitrary code on this host. *** Nessus reports this vulnerability using only *** information that was gathered. Use caution *** when testing without safe checks enabled. Solution : delete it Risk factor : High CVE : CAN-2000-0256 unknown (1/tcp) High The file /admin-serv/config/admpw is readable. This file contains the encrypted password for the Netscape
Security Questions
I have read Security-Quickstart-HOWTO. I believe my home network has been compromised (my daughter received returned emails she neversent) and plan to take drastic action. The network consists of DSL modem, a wireless router and four computers. I have no concerns about the family members and the houses in the neighborhood are widely separated so it is very unlikely that the wireless connection has been used by outsiders. The DSL link to the internet is my concern. Here are my quesions: 1. How to erase hard drives? I plan to pull one computer off line and reinstall Debian Woody and Windows from CD's (Regretably I still need Windows for a few applications). Is reinstallation enough or must, and can, the hard drives be wiped clean of any residual programs? 2. What is the best Firewall? I have an old Compaq 486 machine with no math coprocessor. I assume I can install two ethernet cards (I believe it has two PCI slots, must look though), load Woody, set up iptables and a sniffer and place it between the DSL modem and the wireless router. When I am ready to put this firewall in place I have all the computers off line. I will bring up the one that has its operating systems and applications reinstsalled from CD's and download all the security updates from Debian and Microsoft. The procedure can then be repeated for the other computers. 3. DHCP or static addresses? I have been using static addresses. I believe I have seen in the references that it is possible to set the wireless router to receive and transmit to these addresses only? If so, is this the best approach? 4. How to deal with a rogue computer? The fly in this ointment is my grandson's laptop, a gift from his father (my daughter's ex-husband). It came with XP Professional and I don't have the CD's to reistall it. My grandson likes to go on the internet and also use our wireless network to print his homework on one of the printers attached to the fixed computers. Would it work and not compromise the system if I give it a static address and instruct the other computer's on the network to refuse any transmissions from this address? And could I then attach one of the printers to the computer serving as the firewall and allow all the computers on the network to use this printer without cmpromising the system? I would greatly appreciate responses to the above questions and any recommendations of alternate and, or additonal steps to secure the network. Tom George -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security Questions
A few answers, but first a question: How do you know that your network has definitely been compromised? If the only evidence you have is that your daughter received returned emails she didn't send, how to you know that someone didn't generate those emails elsewhere, spoofing her email address and reply-to header? You could gain some insight by looking at the emails more carefully; if the emails were bounced by a mail relay along the way and returned, then you can see by the headers if the originated at your normal smtp (outgoing) server or not, which would give you some information. Just a thought. Assuming your network IS compromised (and even if it isn't), remember that a wireless network cannot be 100% secured with current implementations, but you can do a lot to limit breaches: employ WEP encryption, disable SSID broadcasting, set up your router to allow access only by specified MAC addresses (this is the hardware address encoding into every ethernet interface, not the IP address used by the corresponding computer), and so on. There was an excellent article on wireless LAN security on arstechnica.com a few months ago that you should read. My personal preference for dealing with a compromised system is to fully wipe the HD (repartition and reformat) and reinstall everything. There are, I suppose, other approaches you can use - for instance, if you compared the size, timestamp, and contents of every system file on a suspected system to those on a clean distribution and found no mismatches, it would be unlikely at a root kit was installed. I have seen occasional references to scripts that can do this here and there, but don't recall any of them offhand. Another approach is to build a snapshot of the entire system (file name, timestamp, permissions, size, uid.gid, etc) into a file. YOu can then periodically compare the state of the current system to the saved database (stored, of course, offline to avoid being changed by a malicious intruder) and that would tell you if the system has been changed or not. That doesn't help you here, but does help to detect a later breach. (Remember, if you do something like this, that every time you apt-get install/remove/update/upgrade/dist-upgrade you change the system, so you need to run the scanner to verify system intregity before any apt-get - to ensure the system is ok before you start -, and again after the apt-get in order to create a new snapshot). Lastly, bear in mind that as long as you allow an unsecured system behind your firewall (your grandson's computer) there is no way to ensure the security of your network. Good luck. On Sun, 2003-04-06 at 10:09, Thomas H. George,,, wrote: I have read Security-Quickstart-HOWTO. I believe my home network has been compromised (my daughter received returned emails she neversent) and plan to take drastic action. The network consists of DSL modem, a wireless router and four computers. I have no concerns about the family members and the houses in the neighborhood are widely separated so it is very unlikely that the wireless connection has been used by outsiders. The DSL link to the internet is my concern. Here are my quesions: 1. How to erase hard drives? I plan to pull one computer off line and reinstall Debian Woody and Windows from CD's (Regretably I still need Windows for a few applications). Is reinstallation enough or must, and can, the hard drives be wiped clean of any residual programs? 2. What is the best Firewall? I have an old Compaq 486 machine with no math coprocessor. I assume I can install two ethernet cards (I believe it has two PCI slots, must look though), load Woody, set up iptables and a sniffer and place it between the DSL modem and the wireless router. When I am ready to put this firewall in place I have all the computers off line. I will bring up the one that has its operating systems and applications reinstsalled from CD's and download all the security updates from Debian and Microsoft. The procedure can then be repeated for the other computers. 3. DHCP or static addresses? I have been using static addresses. I believe I have seen in the references that it is possible to set the wireless router to receive and transmit to these addresses only? If so, is this the best approach? 4. How to deal with a rogue computer? The fly in this ointment is my grandson's laptop, a gift from his father (my daughter's ex-husband). It came with XP Professional and I don't have the CD's to reistall it. My grandson likes to go on the internet and also use our wireless network to print his homework on one of the printers attached to the fixed computers. Would it work and not compromise the system if I give it a static address and instruct the other computer's on the network to refuse any transmissions from this address? And could I then attach one of the printers to the computer serving as the firewall and allow all the
Re: Security Questions
%% Thomas H. George,,, [EMAIL PROTECTED] writes: thg I believe my home network has been compromised (my daughter received thg returned emails she neversent) Note that this is a _very_ common spam technique these days. They disguise spam as rejected mail, because most mail filters, etc. will pass those through without much checking. Or, of course, someone could have forged your daughter's email address on their spam and the replies you're getting are to that. They don't need to send the email from your system to forge the return address! You should check the original message, with all its headers, to determine if it really came from your daughter's computer (your network) originally or not. I'm not saying you shouldn't go ahead, but you might look more carefully at the kinds of returned email you're getting before deciding categorically your network has been cracked. -- --- Paul D. Smith [EMAIL PROTECTED] HASMAT--HA Software Mthds Tools Please remain calm...I may be mad, but I am a professional. --Mad Scientist --- These are my opinions---Nortel Networks takes no responsibility for them. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security Questions
On Sun, 06 Apr 2003 09:09:47 -0500 Thomas H. George,,, [EMAIL PROTECTED] wrote: I have read Security-Quickstart-HOWTO. I believe my home network has been compromised (my daughter received returned emails she neversent) and plan to take drastic action. The network consists of DSL modem, a wireless router and four computers. I What kind of wireless router do you have? Most of the popular ones include firewalls, and mine has a feature to keep wireless traffic separate from wired traffic. (It also has a print server.) Kevin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: /bin/false (was Re: security questions)
On Sun, Oct 29, 2000 at 11:50:18PM +, sena wrote: I heard that Jonathan Markevich wrote this on 29/10/00: However, writing one in C proved to be simple, and an afternoon's worth of fun. --(snip - false.c)-- int main() { return 1; } --(snip - false.c)-- 10 seconds writing plus 3 minutes worth of fun is more like it... :) YOU *may* or may not have caught the subtle (and weak) humor. Of course you've gone and re-invented my wheel. Whatever happened to OOP? :) Only 3 minutes of fun? Disappointing. You've gone and blown the rest of the afternoon. Read through it, make it funnier. Imagine it in Perl. Or Befunge. Or my favorite, Rube. (extra points if you use the weasel -- I believe it's all on www.catseye.mb.ca...) Actually, this may be more of an appropriate job for the language FALSE. Should we set up a sourceforge project for this? Oh writing it sure didn't take all afternoon, but the fun did. My current /bin/false is a compiled ELF file, and I don't really know if it's mine or Potato's (it's been a long time). Potato's /bin/false has a378dbf982c7694b173cd87ecc8463f1 md5sum. 32 bytes, huh? 24 for your source above (with spaces). Might as well compile it yourself. Oh well, I'll let you think of it. I've got a bash script that's a barrel of laughs right now, gotta go. -- Jonathan Markevich [EMAIL PROTECTED] http://www.geocities.com/jmarkevich == It's VIRUSES, not VIRII! See http://language.perl.com/misc/virus.html == Campus sidewalks never exist as the straightest line between two points. -- M. M. Johnston
Re: /bin/false (was Re: security questions)
I heard that Jonathan Markevich wrote this on 29/10/00: Only 3 minutes of fun? Disappointing. You've gone and blown the rest of the afternoon. Read through it, make it funnier. Imagine it in Perl. Or Befunge. Or my favorite, Rube. (extra points if you use the weasel -- I believe it's all on www.catseye.mb.ca...) Actually, this may be more of an appropriate job for the language FALSE. Should we set up a sourceforge project for this? Python, Scheme, Pascal, BASIC (ugh..), whatever.. Why not make a kind of hello world repository with the equivalent of /bin/false in several languages. Of course, it would have to include the history of the false command, etc. Potato's /bin/false has a378dbf982c7694b173cd87ecc8463f1 md5sum. 32 bytes, huh? 24 for your source above (with spaces). Might as well compile it yourself. Or, as in C the return type of a function defaults to int, we could write: main(){return 1;} even if the compiler whines about it, the source is only 17 bytes long. How many (kilo)bytes would be necessary to write that in BASIC? :) Now remembering your shell script approach, lets include in the false-tribute web page a section for shells (bash, ash, zsh, csh, etc.). Oh well, I'll let you think of it. I've got a bash script that's a barrel of laughs right now, gotta go. Well, have fun... :) Regards, sena.. -- [EMAIL PROTECTED] http://decoy.ath.cx/~sena/
Re: /bin/false (was Re: security questions)
On Mon, 30 Oct 2000, sena wrote: I heard that Jonathan Markevich wrote this on 29/10/00: 32 bytes, huh? 24 for your source above (with spaces). Might as well compile it yourself. Or, as in C the return type of a function defaults to int, we could write: main(){return 1;} even if the compiler whines about it, the source is only 17 bytes long. How many (kilo)bytes would be necessary to write that in BASIC? :) Save a byte: main(){exit(1);} But we're pretty far off topic here Damian Menscher -- --==## Grad. student Sys. Admin. @ U. Illinois at Urbana-Champaign ##==-- --==## [EMAIL PROTECTED] www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==-- --==## Physics Dept, 1110 W Green, Urbana IL 61801 Fax:(217)333-9819 ##==--
Re: /bin/false (was Re: security questions)
In article [EMAIL PROTECTED], sena [EMAIL PROTECTED] wrote: I heard that Jonathan Markevich wrote this on 29/10/00: However, writing one in C proved to be simple, and an afternoon's worth of fun. --(snip - false.c)-- int main() { return 1; } --(snip - false.c)-- 10 seconds writing plus 3 minutes worth of fun is more like it... :) Ah, way too big ... #include linux/unistd.h #include asm/unistd.h int errno; _syscall1(void, exit, int, status); int main(void) { exit(1); } void *_start = main; Compile with cc -s -o false -nostdlib false.c Mike. -- People get the operating system they deserve.
Re: /bin/false (was Re: security questions)
I heard that Miquel van Smoorenburg wrote this on 30/10/00: Ah, way too big ... (snip...) Compile with cc -s -o false -nostdlib false.c [EMAIL PROTECTED]:~$ cc -s -o false -nostdlib false.c false.c: In function `exit': false.c:6: warning: function declared `noreturn' has a `return' statement false.c:6: warning: `noreturn' function does return [EMAIL PROTECTED]:~$ ./false Segmentation fault [EMAIL PROTECTED]:~$ Regards, sena... -- [EMAIL PROTECTED] http://decoy.ath.cx/~sena/
Re: security questions
On Sat, Oct 28, 2000 at 08:36:47PM +0200, Robert Waldner wrote: On Sat, 28 Oct 2000 10:06:56 PDT, Peter Jay Salzman writes: also, i noticed that some accounts which are disabled are given a shell of /bin/false: ftp:x:100:65534::/home/ftp:/bin/false tiger seemed to hate this too. i tried playing around with /bin/false. can't seem to figure out what it is. whatever it is, it's tiny. only 4 kb long. there are /bin/true (which gives a return code of 0 when run) and /bin/ false (which returns 1) (both values IIRC). very handy if you want to do something like `if (bla || /bin/true)` for some reason. giving a shell with /bin/false effectively disables the account´s possibility to get a login shell, but (as in case with ftp) shouldn´t hinder other services (eg ftp, pop3, .forward etc.). all of the above is in theory, because I tried that some time ago but couldn´t get an ftp-login when the shell was /bin/false, but I remember reading about it somewhere... typically, ftpd checks to see if your shell is in /etc/shells -- if it's not, you can't ftp. -- CueCat decoder .signature by Larry Wall: #!/usr/bin/perl -n printf Serial: %s Type: %s Code: %s\n, map { tr/a-zA-Z0-9+-/ -_/; $_ = unpack 'u', chr(32 + length()*3/4) . $_; s/\0+$//; $_ ^= C x length; } /\.([^.]+)/g;
Re: /bin/false (was Re: security questions)
On Sat, Oct 28, 2000 at 03:20:15PM -0700, kmself@ix.netcom.com wrote: also, i noticed that some accounts which are disabled are given a shell of /bin/false: ftp:x:100:65534::/home/ftp:/bin/false tiger seemed to hate this too. i tried playing around with /bin/false. can't seem to figure out what it is. whatever it is, it's tiny. only 4 kb long. See man false. Now I also have heard that a shell script /bin/false is a bad thing, because it still allows some nasty shell tricks, but I haven't come across any examples. It is also usually what distros install. However, writing one in C proved to be simple, and an afternoon's worth of fun. Oh writing it sure didn't take all afternoon, but the fun did. My current /bin/false is a compiled ELF file, and I don't really know if it's mine or Potato's (it's been a long time). -- Jonathan Markevich [EMAIL PROTECTED] http://www.geocities.com/jmarkevich == It's VIRUSES, not VIRII! See http://language.perl.com/misc/virus.html == Man and wife make one fool.
Re: /bin/false (was Re: security questions)
I heard that Jonathan Markevich wrote this on 29/10/00: However, writing one in C proved to be simple, and an afternoon's worth of fun. --(snip - false.c)-- int main() { return 1; } --(snip - false.c)-- 10 seconds writing plus 3 minutes worth of fun is more like it... :) Oh writing it sure didn't take all afternoon, but the fun did. My current /bin/false is a compiled ELF file, and I don't really know if it's mine or Potato's (it's been a long time). Potato's /bin/false has a378dbf982c7694b173cd87ecc8463f1 md5sum. Regards, sena... -- [EMAIL PROTECTED] http://decoy.ath.cx/~sena/
security questions
i just installed a host security checker, tiger (TARA?) which is more or less along the lines of what i remember from dan farmer's COPS (a lng time ago!) it had a number of complaints about accounts which were disabled but had valid shells. like this one: www-data:x:33:33:www-data:/var/www:/bin/sh why, exactly, is this a security risk? is tiger expecting something along the lines of: www-data:x:33:33:www-data:/var/www: what is the hangup here? also, i noticed that some accounts which are disabled are given a shell of /bin/false: ftp:x:100:65534::/home/ftp:/bin/false tiger seemed to hate this too. i tried playing around with /bin/false. can't seem to figure out what it is. whatever it is, it's tiny. only 4 kb long. thanks! pete
Re: security questions
On Sat, 28 Oct 2000 10:06:56 PDT, Peter Jay Salzman writes: also, i noticed that some accounts which are disabled are given a shell of /bin/false: ftp:x:100:65534::/home/ftp:/bin/false tiger seemed to hate this too. i tried playing around with /bin/false. can't seem to figure out what it is. whatever it is, it's tiny. only 4 kb long. there are /bin/true (which gives a return code of 0 when run) and /bin/ false (which returns 1) (both values IIRC). very handy if you want to do something like `if (bla || /bin/true)` for some reason. giving a shell with /bin/false effectively disables the account´s possibility to get a login shell, but (as in case with ftp) shouldn´t hinder other services (eg ftp, pop3, .forward etc.). all of the above is in theory, because I tried that some time ago but couldn´t get an ftp-login when the shell was /bin/false, but I remember reading about it somewhere... rw -- / Ing. Robert Waldner | Network Engineer | T: +43 1 89933 F: x533 \ \ [EMAIL PROTECTED] |KPNQwest/AT | Diefenbachg. 35, A-1150 /
/bin/false (was Re: security questions)
on Sat, Oct 28, 2000 at 10:06:56AM -0700, Peter Jay Salzman ([EMAIL PROTECTED]) wrote: also, i noticed that some accounts which are disabled are given a shell of /bin/false: ftp:x:100:65534::/home/ftp:/bin/false tiger seemed to hate this too. i tried playing around with /bin/false. can't seem to figure out what it is. whatever it is, it's tiny. only 4 kb long. See man false. false - do nothing, unsuccessfully Think of it as /dev/null, /dev/full, /dev/zero, or the lo loopback networking interface. Or zero (0), for that matter. Doing nothing can be incredibly valuable. As the Zen saying goes: Don't just do something, stand there!. /bin/true and /bin/false do nothing. true exits with a successful status, false exits with a nonsuccessful status. This is useful for accounts which you don't want to have any successful shell access, it can be handy in shell scripts to force a failure condition, or elsewhere. In the same sense, /dev/null discards bits (or returns a null read), /dev/full is a file which is always full (write produces error), /dev/zero returns an ASCII null, and the lo interface allows tests of networking when no real networking interface is available -- this is useful both in testing services, and in setting up systems such as diald. -- Karsten M. Self kmself@ix.netcom.com http://www.netcom.com/~kmself Evangelist, Opensales, Inc.http://www.opensales.org What part of Gestalt don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/http://www.kuro5hin.org pgpt6rohv7wXg.pgp Description: PGP signature
Re: Security questions
What I was looking for was any potential secuity risks that exist in the default setup of Debian 1.3.1.*. http://www.debian.org/security.html (this lists all security problems. As far as I'm aware, all have been fixed in bo-updates). On the other hand, probably the only way to get your system (any system) safe is by educating the wannaby phreakers: Offer them one month free subscription or whatever if they report possible security holes instead of exploiting them. -- joost witteveen, [EMAIL PROTECTED] My spamfilter is so good, it correctly catches 90% of incomming spam, *including* all email from my PhD supervisor. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Security questions
I am setting up a server to allow our customers shell access. I want this sucker to be air-tight. We have a few hacker/phreaker wannabes. Any suggestions? -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Security questions
Shaleh wrote: :I am setting up a server to allow our customers shell access. I want :this sucker to be air-tight. We have a few hacker/phreaker wannabes. :Any suggestions? Depends on what kind of consulting fees you're willing to pay. :-P I guess you could get a more positive response if you'd indicate that you're actually willing to figure out some things for yourself instead of letting the group do your job. Maybe you could start by outlining which measures you've already taken, or with a question about the security issues involved with a particular package. Bye, -- Thomas Baetzler, [EMAIL PROTECTED], [EMAIL PROTECTED] A HREF=http://www.fh-karlsruhe.de/~bath0011/Visit my Homepage!/A The cowards never came, and the weaklings died on the way - R.A.H. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Security questions
What I was looking for was any potential secuity risks that exist in the default setup of Debian 1.3.1.*. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: Security questions
On Tue, 21 Oct 1997, Shaleh wrote: I am setting up a server to allow our customers shell access. I want this sucker to be air-tight. We have a few hacker/phreaker wannabes. Any suggestions? 1: Tripwire. (I've never used it myself, but everything I hear about it sounds like you'd want to be using it) 2: stick with the stable Debian hierarchy as much as possible, and don't install packages you can't find a reson for on the machine. (For example, do you need an xserver on the machine or is it sufficient to only allow xclients? Do you really need xntpd on this machine?) 3: Find some way to regularly skim over the syslogs - I keep thinking that there ought to be some program to facilitate this, but... 4: Arrange somehow (via a cron job, perhaps?) to have something like: find / -perm -04000 | diff /var/log/propersuidfiles run regularly. (the find command is looking for all suid files; presumably the file /var/log/propersuidfiles was created earlier by dumping the results of this find command on a system you know is clean) Review the results. Tripwire may do something equivalent to this. 5: Use shadowed (or nis, or anything but the old-style crypted entries in /etc/passwd) passwords. 6: Consider regularly running crack on your users' passwords to screen for weak passwords. 7: Configure tcpwrappers to log the results of an identd check. (I'm reasonably certain that this is easy to do with the standard Debian setup, but can't remember how) Most of the time the part of security that gets neglected is detecting attempted breakins that fail - often, hackers will try simple stuff before they progress to more sophisticated attacks. If the simple stuff is detected, even though it may have failed, you can at least know whom to watch. (And the shock of being caught red-handed can have a remarkable effect on many hacker-wannabes) (NOTE: I am not a security expert, nor do I have direct experience administering a machine that must be kept secure from the users; I just happened to spend most of my undergraduate years working for a very security-conscious sysadmin) -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .