Re: [SLUG] advice on security compliance
Hey Amos, thanks for that. And also thanks to Daniel and Sonia. Cheers, Daniel 2009/11/10 Amos Shapira amos.shap...@gmail.com 2009/11/2 Daniel Bush dlb.id...@gmail.com: I was following Rick's recent post about penetration testing with some interest. I'm looking at complying with anz e-gate for e-commerce transactions. ANZ has this declaration form for internet sites that you have to sign. One of the tick boxes says Do you operate a firewall that is regularly updated? I'm a bit late in the party but still wanted to add my two cents if that's OK. Some relevant points I learned during the PCI DSS compliance process we've gone through: 1. They also care not just about preventing people getting unauthorised access to your server but also in making it difficult to get data out (e.g. by someone with an inside knowledge). So firewall rules should also limit outgoing connections to specific hosts. E.g. you want to talk to specific, hopefully more trusted, DNS and NTP servers, specific upstream SMTP servers (instead of allowing access to just about any SMTP server in the world) and maybe specific yum update servers, but not more. Since rules could be added to allow you temporary access outside for specific tasks, it might be prudent to verify once in a while that they are back to the way you expect them to be. 2. Application firewalls can add a lot to the simple block everything except ports 80 and 443 iptables. I'm talking about mod_security and having its rules updated regularly to catch attempts to exploit holes in known application as they get discovered (e.g. http://www.gotroot.com/tiki-index.php?page=mod_security+rules). 3. They care about auditing and accountability - the rule of thumb is no shared accounts - if there are more than one users on the system then each should use their own account and sudo ... for each privileged command. It also makes it easier to track who did what and when (bash HISTTIMEFORMAT='%F %T ' is also very useful, not just for Them). 4. SE Linux is a major headache, I seem to be in the mainstream by disabling it for now. But it appears that once you get to learn it and tweak it properly it can add a lot to the security on your server and limit the damage done by a potential cracker. e.g. allow HTTP access to the yum servers only by the yum process, or send mail only from specific programs/scripts. The best tutorial I found about SE Linux so far resides in http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/ (I still have to finish reading it) In general - you can look at this as ah yeh, the security lawyers and paper pushers are at it again but I found that giving attention to these requirements and the thinking behind them makes a lot of security sense (most times - anti-virus for purely linux environment is pretty useless from what I've researched so far) and should end up in more secure servers. Cheers, --Amos -- Daniel Bush -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Data Redundancy, RAID5/LVM backup decisions
Daniel Pittman wrote: Sridhar Dhanapalan srid...@dhanapalan.com writes: 2009/11/8 Kevin Shackleton kev...@reachnet.com.au: Save the environment - buy a NAS. (my mirrored 2-disc NAS averages about 20 W) That's a good suggestion. My reluctance to use a NAS myself stems from the perception of less configurability. Yup. If you want something capable of the flexibility of a real OS your options are very limited. OTOH, do you really *need* that level of flexibility from your storage system? Are they any good and affordable NAS solutions out there that allow a decent level of configurability and permissions-setting? The Linksys NSS[46]000 series are entirely Linux underneath, and fully source-available. I have not actually used the hardware, but we prototyped one ages ago and found it acceptable. Otherwise, the DLINK DNS-[24]32 devices can also run Linux, or... D Link do run linux, but hard to do anything on them, I wanted to do rsync, but it only accepts ftp. Ken OTOH, my preference would be to purchase external bulk storage in some sort of NAS that did NFS[1], or perhaps that offered eSATA, and run it through the central server *if* I needed a fancy set of permissions. Daniel Footnotes: [1] Limited options, sadly, though any of the named ones should, and I believe the Drobo stuff does too. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] IPTables
Rick, it dawned on at 04:30 this morning (don't ask) that you probably want to tighten this up even more (and simplify it too) by doing the following; iptables -A INPUT -i ethX -s IP_addr_of_host_B -m multiport -p tcp --dport www,ssh -j ACCEPT iptables -A INPUT -j DROP iptables -A OUTPUT -o ethX -d IP_addr_of_host_B -j ACCEPT iptables -A OUTPUT -j DROP Just be aware that the two drop statements now prevent host A talking to any machine other than host B and only over ethX. So if ethX ever fails, you're screwed. And if you don't want host A initiating calls, change line 3 above back to include '-m state --state RELATED,ESTABLISHED' Kind Regards Kyle r...@greyheads.net wrote: Kyle apologies for the top posting - mail2web is a bit dumb as this. Do you mean that the script should look like this iptables -A INPUT -m state --state NEW -m multiport -p tcp --dport www,ssh -i ethX -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -j DROP iptables -A OUTPUT -o ethX -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o ethX -j DROP Can you have two -m statements on the one line? Regards, Rick -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Data Redundancy, RAID5/LVM backup decisions
On 11/11/2009, at 23:41, Ken Wilson kenwi...@ozemail.com.au wrote: Daniel Pittman wrote: Sridhar Dhanapalan srid...@dhanapalan.com writes: 2009/11/8 Kevin Shackleton kev...@reachnet.com.au: Save the environment - buy a NAS. (my mirrored 2-disc NAS averages about 20 W) That's a good suggestion. My reluctance to use a NAS myself stems from the perception of less configurability. Yup. If you want something capable of the flexibility of a real OS your options are very limited. OTOH, do you really *need* that level of flexibility from your storage system? Are they any good and affordable NAS solutions out there that allow a decent level of configurability and permissions-setting? I have a qnap ts-409 pro. It (and all qnap's other models) runs a cut- down openwrt-style Linux by default - but stock debian runs fine on it as well (http://www.cyrius.com/debian/orion/qnap/ts-409/) The newer models (x39, where x is the number of disks) have atom processors; reportedly much faster and less power-hungry. The Linksys NSS[46]000 series are entirely Linux underneath, and fully source-available. I have not actually used the hardware, but we prototyped one ages ago and found it acceptable. Otherwise, the DLINK DNS-[24]32 devices can also run Linux, or... D Link do run linux, but hard to do anything on them, I wanted to do rsync, but it only accepts ftp. Ken OTOH, my preference would be to purchase external bulk storage in some sort of NAS that did NFS[1], or perhaps that offered eSATA, and run it through the central server *if* I needed a fancy set of permissions. Daniel Footnotes: [1] Limited options, sadly, though any of the named ones should, and I believe the Drobo stuff does too. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Data Redundancy, RAID5/LVM backup decisions
Ken Wilson kenwi...@ozemail.com.au writes: Daniel Pittman wrote: Sridhar Dhanapalan srid...@dhanapalan.com writes: 2009/11/8 Kevin Shackleton kev...@reachnet.com.au: [...] Otherwise, the DLINK DNS-[24]32 devices can also run Linux, or... D Link do run linux, but hard to do anything on them, I wanted to do rsync, but it only accepts ftp. http://lmgtfy.com/?q=dlink+dns-232+rsync Regards, Daniel -- ✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Data Redundancy, RAID5/LVM backup decisions
Daniel Pittman wrote: Ken Wilson kenwi...@ozemail.com.au writes: Daniel Pittman wrote: Sridhar Dhanapalan srid...@dhanapalan.com writes: 2009/11/8 Kevin Shackleton kev...@reachnet.com.au: [...] Otherwise, the DLINK DNS-[24]32 devices can also run Linux, or... D Link do run linux, but hard to do anything on them, I wanted to do rsync, but it only accepts ftp. http://lmgtfy.com/?q=dlink+dns-232+rsync Regards, Daniel thanks daniel There has been progress. Fun_plug was not reliably working on 343 at the time I bought dns-343. Required upgrading firmware to one that had been put up on web but withdrawn. So in the end I used it as was. Looks like I have a project to revisit. Ken -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: FW: [SLUG] Slow browsing
I believe the bug harrisony linked too has now been fixed please try updating. 2009/11/7 高远 wolf0...@hotmail.com: Hi Heracles, There is a Firefox addon named FireBug. It was designed for web developers but has a nice feature of request time monitoring. You may enable the Net tab in firebug console and do an HTTP request (say, to google.com.au) and Firebug will tell you where are all the time spent.See if it tells something. Regards,Ryan Date: Sat, 7 Nov 2009 13:11:19 +1100 From: herac...@iprimus.com.au To: slug@slug.org.au Subject: Re: [SLUG] Slow browsing -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I should add that I am using a wireless connection but have not removed eth0. tcpdump gets stuck at eth0. I have removed eth0 from the manager but to no avail. I am only guessing, but is it possible that having both a wireless and a wired card is causing the delay? Heracles Heracles wrote: I should have been more specific, sorry. a. IPv6 is set to ignore b. I have a 1500/512 connection and it takes google.com.au/linux three minutes to start up. c. I tried using the dhclient.conf in Ubuntu but no improvement. d. prepending the ISPs DNS addresses helps a bit but something is still awry. I'll do a TCPDUMP and see what I get. Heracles -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkr010YACgkQybPcBAs9CE/+NgCeJffR153NqJzfot5+OY4dmXgZ QCgAnAxTWIkm1YkfRiqgDDrcQd/zHFvj =CDZU -END PGP SIGNATURE- -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html _ MSN十周年庆典,查看MSN注册时间,赢取神秘大奖 http://10.msn.com.cn -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Data Redundancy, RAID5/LVM backup decisions
+1 QNAP. A lot of the QNAPS can be modified to run debian linux. 2009/11/12 Ken Wilson kenwi...@ozemail.com.au: Daniel Pittman wrote: Ken Wilson kenwi...@ozemail.com.au writes: Daniel Pittman wrote: Sridhar Dhanapalan srid...@dhanapalan.com writes: 2009/11/8 Kevin Shackleton kev...@reachnet.com.au: [...] Otherwise, the DLINK DNS-[24]32 devices can also run Linux, or... D Link do run linux, but hard to do anything on them, I wanted to do rsync, but it only accepts ftp. http://lmgtfy.com/?q=dlink+dns-232+rsync Regards, Daniel thanks daniel There has been progress. Fun_plug was not reliably working on 343 at the time I bought dns-343. Required upgrading firmware to one that had been put up on web but withdrawn. So in the end I used it as was. Looks like I have a project to revisit. Ken -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
