On Wed, Feb 28, 2001 at 10:49:32AM +1100, Umar Goldeli wrote:
> > Are you serious? if someone gets in the game is over, they already know enough
> > about the box, wouldn't you say?
>
> The above statement is not exactly correct, but yes they do know about the
> box somewhat, and even if the man pages help them for 30 seconds, it's too
> much.
Theres actually nothing very interesting on the firewall (except for the man
pages), if someone gets a shell (root or otherwise) then game is over, they
can bounce off the firewall and attack the hosts its trying to protect. Non
root will have to work around the filters, both input and output are
filtered, but that won't stop them. If a cracker wants to spend time rooting
the firewall I wish them well, at least while they are trying to get root on
the firewall, they aren't trying to attack other hosts.
> Correct. As well as seemingly harmles binaries like "uname" and even the
> layout of the filesystem.
Removing uname isn't going to buy me much.
find /proc -exec less {} \;
/proc is bad, mmmkay.
I've never tried to run a box without proc, I might give it a go.
> > We have been advised to run ntp on the firewall so log time stamps are in
> > sync. Another potential access point.
>
> Bind ntp to a particular interface and only allow port 123 from your ntp
> server, also turn on the funky auth features (or you could do ipsec to
> your ntp box ;)
You bring up a good point about ntp auth, obviously ntp will be filtered, but that
won't stop forged packets (and unfortunately, neither will some of our routers
(yet)). I wonder if someone could send bogus ntp packets and shift the time on
the firewall?
--
chesty
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
