Re: seeking a better understanding

[VioletWork]

Aloha
I suggest you go to amazon and search for the 'hacking' books. Start with
Hacking Windows 2000 Exposed but actually I have all the hacking books and
with the exception of the 'encyclopedia' one which is only good for historic
value, they are all useful to me (we run various flavors of linux, solaris,
aix, mac os 9/10, win2k pro, server, win98, xp) and I am Solaris SysEngr,
MCSE/D, CNE, Oracle, Java, CISCO, etc. I don't provide security now but
rather am Dir of QA for a streaming media company so I write a lot of test
cases for security issues. These books are very helpful reference tools.

As for domain names... you should register them early as the good ones are
going. I have 12 active sites and a further 14 registered domain names. If
you have any web related questions, feel free to email me directly and I
will give you my home email address. Having handcoded over 6500 pages in the
last decade I can tell you what works and doesn't work re: any flavor of
html/browser combination.

A hui hou!
/violet
- Original Message -
From: apif [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, January 16, 2002 2:25 PM
Subject: seeking a better understanding


All,

Where to begin? I have a home network, and am considering putting in a web
server. At this point I am considering the security of it. I suppose the
best way to help you in helping me is to tell you a little about me, my
network, and how I plan on using this.

I'm from a technical background and support MS servers. I have very little
experience in Linux, and only a little in security. Security mostly comes
from another group in my company.

My connection to the internet is DSL. I am planning to upgrade it to a
premuim connection so that I can have static IP's. A domain name and DNS
registration will be a course of action further down the line.

My home network consists of less than 5 boxes, each running varying O/S's.
All MS O/S's are running personal firewalls. Other boxes are Linux.

I have a netgear R0318 router which is up to date on it's firmware. It
supports NATing, packet intospection, and blocks ports except where I
specify they should be allowed through.

So here is the run down. I'm weak on Linux, but that is what I want to put
the web server on. It will run on Apache web software. All machines are
behind the router, and all addresses are NAT'd. I would project out port 80
for the Slackware Linux machine, and no others (except maybe FTP at some
point unless you think this would not be wise). I currently do not have any
A/V software on my linux box (and to be honest, have no idea what sort of
A/V to put on a linux box).

Now that you have the background, my questions comes down to this. If port
80 is the only port allowed through, and someone chose to attack this port,
could they compromise my system, and if so how? What other steps should I
take to protect this system? I see IPTables (I guess it replaced IPchains)
in slackware. I know this is a firewall, but I don't think it is like the
personal firewall I have on MS boxes. I suspect it is more like a full corp
class firewall, and probably as complicated. Should I be using this on my
Slackware machine? Do you have any suggestions of what A/V software I should
use on a linux machine, and do the spot trojans as the MS ones do? Thank you
for your time. I'm sorry this was so long.

RE: seeking a better understanding

[Jean-François Asselin]

 -Original Message-
 From: apif [mailto:[EMAIL PROTECTED]] 
 1. Given port 80 (and only port 80) is open to the outside 
 world, if someone were to breach that port, could they do 
 more than deface my website?

Yes. Once they get in, they can take control of that system, install a
listener (running on port 80), and tunnel any traffic they want through
there. They can connect to any system this machine trusts, attempt to
decrypt other passwords, sniff on your network, possibly access the
router (since they're now inside) and change its settings...

 2. Is a home router that does src port blocking, packet 
 intraspection, and NATing enough, or do I need a middle box 
 running some form of firewall software too?

Maybe a firewall, an IDS if you're a bit parano, and (most important):
keep the system up-to-date and patched! Of the three the patching is
most important. The middle-box firewall I would install between the web
server and the other systems to create a DMZ which would seriously help
contain any break-in to the web server. I'd install Linux on that
middle-box, and run snort on it (so you have IDS as well)...

 
 -Original Message-
 From: apif [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, January 16, 2002 2:25 PM
 To: [EMAIL PROTECTED]
 Subject: seeking a better understanding
 
 
 All,
 
   Where to begin? I have a home network, and am 
 considering putting in a web server. At this point I am 
 considering the security of it. I suppose the best way to 
 help you in helping me is to tell you a little about me, my 
 network, and how I plan on using this.
 
 I'm from a technical background and support MS servers. I 
 have very little experience in Linux, and only a little in 
 security. Security mostly comes from another group in my company.
 
 My connection to the internet is DSL. I am planning to 
 upgrade it to a premuim connection so that I can have static 
 IP's. A domain name and DNS registration will be a course of 
 action further down the line.
 
 My home network consists of less than 5 boxes, each running 
 varying O/S's. All MS O/S's are running personal firewalls. 
 Other boxes are Linux.
 
 I have a netgear R0318 router which is up to date on it's 
 firmware. It supports NATing, packet intospection, and blocks 
 ports except where I specify they should be allowed through.
 
 So here is the run down. I'm weak on Linux, but that is what 
 I want to put the web server on. It will run on Apache web 
 software. All machines are behind the router, and all 
 addresses are NAT'd. I would project out port 80 for the 
 Slackware Linux machine, and no others (except maybe FTP at 
 some point unless you think this would not be wise). I 
 currently do not have any A/V software on my linux box (and 
 to be honest, have no idea what sort of A/V to put on a linux box).
 
 Now that you have the background, my questions comes down to 
 this. If port 80 is the only port allowed through, and 
 someone chose to attack this port, could they compromise my 
 system, and if so how? What other steps should I take to 
 protect this system? I see IPTables (I guess it replaced 
 IPchains) in slackware. I know this is a firewall, but I 
 don't think it is like the personal firewall I have on MS 
 boxes. I suspect it is more like a full corp class firewall, 
 and probably as complicated. Should I be using this on my 
 Slackware machine? Do you have any suggestions of what A/V 
 software I should use on a linux machine, and do the spot 
 trojans as the MS ones do? Thank you for your time. I'm sorry 
 this was so long.
 
 
 
 

Re: seeking a better understanding

[Andrei Vlad Pascal]

- Original Message -
From: apif [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, 17 January, 2002 12:25 AM
Subject: seeking a better understanding


Hi apif,


[...]

| Now that you have the background, my questions comes down to this. If
port
| 80 is the only port allowed through, and someone chose to attack this
port,
| could they compromise my system, and if so how? What other steps
should I
| take to protect this system? I see IPTables (I guess it replaced
IPchains)
| in slackware. I know this is a firewall, but I don't think it is like
the
| personal firewall I have on MS boxes. I suspect it is more like a full
corp
| class firewall, and probably as complicated. Should I be using this on
my
| Slackware machine? Do you have any suggestions of what A/V software I
should
| use on a linux machine, and do the spot trojans as the MS ones do?
Thank you
| for your time. I'm sorry this was so long.
|

Yes, you can use iptables. It is a very performant netfilter (and yes,
it replaced ipchains) but you have to study a little. A very good place
to begin with is http://netfilter.samba.org where you have a
comprehensive tutorial about iptables. Then you can consider the Linux
Documantation Project.
iptables gives you a lot of flexibility, but it's not very complicated.

As an A/V software, I can tell you that here we use amavis
(www.amavis.org) with Sophos antivirus. (however we only use it for mail
scanning. But it detects MS trojans and not only.)

Hope this helps.

Regards,
Andrei Pascal
Network Administrator
Frans Maas Romania srl
Phone +40 (0)1 230 8731
Fax   +40 (0)1 230 8709

Linux registered user #221713

I haven't lost my mind -- it's backed up on tape somewhere.

RE: seeking a better understanding

[apif]

I recieved one response to my original post... so maybe I am not in the
right conference / newsgroup. If this is so, please let me know. Otherwise,
the two following questions would scoot me along to understanding what I
need about basic security. Thanks.

1. Given port 80 (and only port 80) is open to the outside world, if someone
were to breach that port, could they do more than deface my website?

2. Is a home router that does src port blocking, packet intraspection, and
NATing enough, or do I need a middle box running some form of firewall
software too?

-Original Message-
From: apif [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 16, 2002 2:25 PM
To: [EMAIL PROTECTED]
Subject: seeking a better understanding


All,

Where to begin? I have a home network, and am considering putting in a web
server. At this point I am considering the security of it. I suppose the
best way to help you in helping me is to tell you a little about me, my
network, and how I plan on using this.

I'm from a technical background and support MS servers. I have very little
experience in Linux, and only a little in security. Security mostly comes
from another group in my company.

My connection to the internet is DSL. I am planning to upgrade it to a
premuim connection so that I can have static IP's. A domain name and DNS
registration will be a course of action further down the line.

My home network consists of less than 5 boxes, each running varying O/S's.
All MS O/S's are running personal firewalls. Other boxes are Linux.

I have a netgear R0318 router which is up to date on it's firmware. It
supports NATing, packet intospection, and blocks ports except where I
specify they should be allowed through.

So here is the run down. I'm weak on Linux, but that is what I want to put
the web server on. It will run on Apache web software. All machines are
behind the router, and all addresses are NAT'd. I would project out port 80
for the Slackware Linux machine, and no others (except maybe FTP at some
point unless you think this would not be wise). I currently do not have any
A/V software on my linux box (and to be honest, have no idea what sort of
A/V to put on a linux box).

Now that you have the background, my questions comes down to this. If port
80 is the only port allowed through, and someone chose to attack this port,
could they compromise my system, and if so how? What other steps should I
take to protect this system? I see IPTables (I guess it replaced IPchains)
in slackware. I know this is a firewall, but I don't think it is like the
personal firewall I have on MS boxes. I suspect it is more like a full corp
class firewall, and probably as complicated. Should I be using this on my
Slackware machine? Do you have any suggestions of what A/V software I should
use on a linux machine, and do the spot trojans as the MS ones do? Thank you
for your time. I'm sorry this was so long.

RE: seeking a better understanding

[Andrew Blevins]

Question #1 Emphatically yes, an intruder could do alot more than just
deface your site. Go to Google, and search for unicode vulnerability (if you
run IIS). This is just one example.
Question #2 I dunno, anyone else want to take this one?


-Original Message-
From: apif [mailto:[EMAIL PROTECTED]]
Sent: Saturday, January 19, 2002 2:26 AM
To: [EMAIL PROTECTED]
Subject: RE: seeking a better understanding


I recieved one response to my original post... so maybe I am not in the
right conference / newsgroup. If this is so, please let me know. Otherwise,
the two following questions would scoot me along to understanding what I
need about basic security. Thanks.

1. Given port 80 (and only port 80) is open to the outside world, if someone
were to breach that port, could they do more than deface my website?

2. Is a home router that does src port blocking, packet intraspection, and
NATing enough, or do I need a middle box running some form of firewall
software too?

-Original Message-
From: apif [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, January 16, 2002 2:25 PM
To: [EMAIL PROTECTED]
Subject: seeking a better understanding


All,

Where to begin? I have a home network, and am considering putting in
a web
server. At this point I am considering the security of it. I suppose the
best way to help you in helping me is to tell you a little about me, my
network, and how I plan on using this.

I'm from a technical background and support MS servers. I have very little
experience in Linux, and only a little in security. Security mostly comes
from another group in my company.

My connection to the internet is DSL. I am planning to upgrade it to a
premuim connection so that I can have static IP's. A domain name and DNS
registration will be a course of action further down the line.

My home network consists of less than 5 boxes, each running varying O/S's.
All MS O/S's are running personal firewalls. Other boxes are Linux.

I have a netgear R0318 router which is up to date on it's firmware. It
supports NATing, packet intospection, and blocks ports except where I
specify they should be allowed through.

So here is the run down. I'm weak on Linux, but that is what I want to put
the web server on. It will run on Apache web software. All machines are
behind the router, and all addresses are NAT'd. I would project out port 80
for the Slackware Linux machine, and no others (except maybe FTP at some
point unless you think this would not be wise). I currently do not have any
A/V software on my linux box (and to be honest, have no idea what sort of
A/V to put on a linux box).

Now that you have the background, my questions comes down to this. If port
80 is the only port allowed through, and someone chose to attack this port,
could they compromise my system, and if so how? What other steps should I
take to protect this system? I see IPTables (I guess it replaced IPchains)
in slackware. I know this is a firewall, but I don't think it is like the
personal firewall I have on MS boxes. I suspect it is more like a full corp
class firewall, and probably as complicated. Should I be using this on my
Slackware machine? Do you have any suggestions of what A/V software I should
use on a linux machine, and do the spot trojans as the MS ones do? Thank you
for your time. I'm sorry this was so long.