Re: hardening checkpoints

2005-12-22 Thread paddy
On Wed, Dec 21, 2005 at 08:48:19PM +0100, Davide Prina wrote: > steve ha scritto: > > >connection time, so she simply refused. Moreover, in Italy you have to > >give an ID (they do a photocopy of it; she couldn't tell me how long they > >keep it..) to be able to use a computer in an Internet Ca

Re: hardening checkpoints

2005-12-21 Thread Davide Prina
steve ha scritto: connection time, so she simply refused. Moreover, in Italy you have to give an ID (they do a photocopy of it; she couldn't tell me how long they keep it..) to be able to use a computer in an Internet Café (terrorism you know...). yes. All data (only your person identificat

Re: hardening checkpoints

2005-12-21 Thread Johannes Wiedersich
Alvin Oga wrote: italians just passed a law that all isp and internet cafe etc are required to ask for ID of "ALL" visitors and users of their PCs and services it shouldnt matter to that if we reboot etc, etc... but it's their computers... and you might get stiffed with a fine/penalty if oyu do

Re: hardening checkpoints

2005-12-21 Thread Alvin Oga
On Wed, 21 Dec 2005, Johannes Wiedersich wrote: > > Wrong. I was in Milano (Italy) a few month ago, and I wanted to do exactly > > that. The person at the desk looked at me as if I were a Martien when I ask italians just passed a law that all isp and internet cafe etc are required to ask for

Re: hardening checkpoints

2005-12-21 Thread steve
Le Mercredi, 21 Décembre 2005 12.40, Johannes Wiedersich a écrit : > steve wrote: > > Le Mardi, 20 Décembre 2005 16.18, Michelle Konzack a écrit : > >>But in ALL Internet Cafes I can use my own (selfmade) Debian Live-System > >>with my prefered Desktop. In all Internet Cafes i get an IP via DHCP.

Re: hardening checkpoints

2005-12-21 Thread Johannes Wiedersich
steve wrote: Le Mardi, 20 Décembre 2005 16.18, Michelle Konzack a écrit : But in ALL Internet Cafes I can use my own (selfmade) Debian Live-System with my prefered Desktop. In all Internet Cafes i get an IP via DHCP. Wrong. I was in Milano (Italy) a few month ago, and I wanted to do exactl

Re: hardening checkpoints

2005-12-21 Thread steve
Le Mardi, 20 Décembre 2005 16.18, Michelle Konzack a écrit : > But in ALL Internet Cafes I can use my own (selfmade) Debian Live-System > with my prefered Desktop. In all Internet Cafes i get an IP via DHCP. Wrong. I was in Milano (Italy) a few month ago, and I wanted to do exactly that. The pe

Re: hardening checkpoints

2005-12-21 Thread paddy
On Tue, Dec 20, 2005 at 04:18:12PM +0100, Michelle Konzack wrote: > Hi Kevin, > > Am 2005-12-15 12:27:01, schrieb kevin bailey: > > hi, > > > 4. enhance authentication > > > > maybe set up ssh access by authorised keys only - but again this has a > > problem when i need to log in to the server f

Re: hardening checkpoints

2005-12-20 Thread Michelle Konzack
Hi Kevin, Am 2005-12-15 12:27:01, schrieb kevin bailey: > hi, > 4. enhance authentication > > maybe set up ssh access by authorised keys only - but again this has a > problem when i need to log in to the server from a putty session on a PC in > an internet cafe . > > certainly check the strengt

Re: hardening checkpoints

2005-12-17 Thread Bernd Eckenfels
In article <[EMAIL PROTECTED]> you wrote: > Actually, iptables -A INPUT will _append_ a rule to your INPUT chain > (iptables(8)), and this won't help you if your connection is matched by > an earlier blocking rule. To really make sure that you can reach the > machine after a failed firewall-reconfi

Re: hardening checkpoints

2005-12-17 Thread Bernd Zeimetz
Hi, > > */3 * * * * rootiptables -A INPUT -i eth0 -p tcp -s > > MY_WORKSTATION_IP --dport 22 -j ACCEPT && echo "issued iptables cmd" > > > > | mail -a "From: [EMAIL PROTECTED]" -s "[iptables-keepalive]" > > > > [EMAIL PROTECTED] > > > > That does 2 things: > > > > 1. guarantees my acce

Re: hardening checkpoints

2005-12-16 Thread Alvin Oga
On Thu, 15 Dec 2005, kevin bailey wrote: > Alvin Oga wrote: > > > On Thu, 15 Dec 2005, kevin bailey wrote: > > > >> was recently rootkitted on a debian machine because i'd left an obscure > >> service running. > > > > if you know how they got in .. i assume oyu have since fixed it > > my gue

Re: hardening checkpoints

2005-12-16 Thread Andreas Blaafladt
* alex black <[EMAIL PROTECTED]> [2005-12-15 23:50:42]: > I use this line: > > */3 * * * * rootiptables -A INPUT -i eth0 -p tcp -s > MY_WORKSTATION_IP --dport 22 -j ACCEPT && echo "issued iptables cmd" > | mail -a "From: [EMAIL PROTECTED]" -s "[iptables-keepalive]" > [EMAIL PROTECTED]

Re: hardening checkpoints

2005-12-15 Thread Javier Fernández-Sanguino Peña
On Thu, Dec 15, 2005 at 10:02:46PM +, kevin bailey wrote: > > > >> - i may need to access the server over ssh from anywhere. > > > > bad idea... what you can do .. the cracker can also do from "anywhere" > > > > at least, lock down incoming ssh from certain ip# > > vi hosts.deny > > ALL : AL

Re: hardening checkpoints

2005-12-15 Thread Javier Fernández-Sanguino Peña
On Thu, Dec 15, 2005 at 05:20:19PM +, kevin bailey wrote: > > get DDOSed in retaliation (I am guessing really). Anyways on a > > multi-user web server it difficult to track down the vulnerable cgi > > unless you run the cgi's as the account owner (as apposed to all running > > as www-data), and

Re: hardening checkpoints

2005-12-15 Thread Bernd Eckenfels
In article <[EMAIL PROTECTED]> you wrote: > BTW - FTP *has* to be available - many of the users only know how to use > FTP. give them WinSCP :) Gruss Bernd -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: hardening checkpoints

2005-12-15 Thread alex black
I use this line: */3 * * * * root iptables -A INPUT -i eth0 -p tcp -s MY_WORKSTATION_IP --dport 22 -j ACCEPT && echo "issued iptables cmd" | mail -a "From: [EMAIL PROTECTED]" -s "[iptables-keepalive]" [EMAIL PROTECTED] That does 2 things: 1. guarantees my access to the machine no matter

Re: hardening checkpoints

2005-12-15 Thread kevin bailey
Dale Amon wrote: > On Thu, Dec 15, 2005 at 12:27:01PM +, kevin bailey wrote: >> 2. firewall >> not i'm not sure about the need for a firewall - i may need to access the >> server over ssh from anywhere. also, to run FTP doesn't the server need >> to be able to open up a varying number of port

Re: hardening checkpoints

2005-12-15 Thread kevin bailey
Will Maier wrote: > On Thu, Dec 15, 2005 at 12:27:01PM +, kevin bailey wrote: >> now i've generally relied on debian issuing security patches but i >> thought i should be more proactive RE security. > > This is very important, as you're now aware. The most secure OS in > the world is only as

Re: hardening checkpoints

2005-12-15 Thread kevin bailey
tomasz abramowicz wrote: > kevin bailey wrote: >> hi, >> >> was recently rootkitted on a debian machine because i'd left an obscure >> service running. > > which one? > i though it was webmin - but now i'm not so sure - i thought there was a vulnerability in webmin in 2005 which was not in the

Re: hardening checkpoints

2005-12-15 Thread kevin bailey
Matt wrote: > Kevin - > > kevin bailey wrote: >> 1. before attaching server to network install and configure tripwire. >> >> and could possibly put key executables on to CD-ROM and leave them in the >> server. > In todays same day exploits, using something like tripwire for H.I.D.S. > may not pro

Re: hardening checkpoints

2005-12-15 Thread kevin bailey
Alvin Oga wrote: > > > On Thu, 15 Dec 2005, kevin bailey wrote: > >> was recently rootkitted on a debian machine because i'd left an obscure >> service running. > > if you know how they got in .. i assume oyu have since fixed it my guess it was the miniserv.pl run by webmin - it had a securit

Re: hardening checkpoints

2005-12-15 Thread kevin bailey
> You can limit your FTP server to listen for data connections on a > specific port only (eg, ftp-data, or 20). Then you only have to allow > connections to ports 20 and 21. but after the initial connection doesn't the server then wait for the data connection on a port in a range above 1065? >

Re: hardening checkpoints

2005-12-15 Thread Stefan Denker
On Thu, Dec 15, 2005 at 07:43:39AM -0600, Will Maier wrote: > > 4. enhance authentication > > maybe set up ssh access by authorised keys only - but again this > > has a problem when i need to log in to the server from a putty > > session on a PC in an internet cafe . > You could keep your key on a

Re: hardening checkpoints

2005-12-15 Thread kevin bailey
Jeffrey L. Taylor wrote: > Quoting kevin bailey <[EMAIL PROTECTED]>: > [snip] >> 4. enhance authentication >> >> maybe set up ssh access by authorised keys only - but again this has a >> problem when i need to log in to the server from a putty session on a PC >> in an internet cafe . >> > > Buy

Re: hardening checkpoints

2005-12-15 Thread kevin bailey
> > I suggest you set up host based firewalling, where iptables limits > incoming/forwarding/outgoing traffic to whatever services you are > running. This is especially important if your running a webserver and > allow user cgi uploads, or cgi's with vulnerabilities are already > installed. For ex

Re: hardening checkpoints

2005-12-15 Thread Klaus Holler
Am Donnerstag, 15. Dezember 2005 14:26 schrieb Dale Amon: > On Thu, Dec 15, 2005 at 12:27:01PM +, kevin bailey wrote: > > 2. firewall > > not i'm not sure about the need for a firewall - i may need to access the > > server over ssh from anywhere. also, to run FTP doesn't the server need > > to

Re: hardening checkpoints

2005-12-15 Thread Vittorio R Tracy
On Thu, 2005-12-15 at 12:27 +, kevin bailey wrote: > hi, > > was recently rootkitted on a debian machine because i'd left an obscure > service running. > > now i've generally relied on debian issuing security patches but i thought i > should be more proactive RE security. > > here's my propo

Re: hardening checkpoints

2005-12-15 Thread Jeffrey L. Taylor
Quoting kevin bailey <[EMAIL PROTECTED]>: [snip] > 4. enhance authentication > > maybe set up ssh access by authorised keys only - but again this has a > problem when i need to log in to the server from a putty session on a PC in > an internet cafe . > Buy a laptop. Trusting an unknown PC in an

Re: hardening checkpoints

2005-12-15 Thread Sam Morris
kevin bailey wrote: 2. firewall not i'm not sure about the need for a firewall - i may need to access the server over ssh from anywhere. also, to run FTP doesn't the server need to be able to open up a varying number of ports. You can limit your FTP server to listen for data connections on a

Re: hardening checkpoints

2005-12-15 Thread Alvin Oga
On Thu, 15 Dec 2005, kevin bailey wrote: > was recently rootkitted on a debian machine because i'd left an obscure > service running. if you know how they got in .. i assume oyu have since fixed it if you do not know how they got in ... - time to change security policy big time to prev

Re: hardening checkpoints

2005-12-15 Thread Matt
Kevin - kevin bailey wrote: 1. before attaching server to network install and configure tripwire. and could possibly put key executables on to CD-ROM and leave them in the server. In todays same day exploits, using something like tripwire for H.I.D.S. may not prove useful... By the time tripwi

Re: hardening checkpoints

2005-12-15 Thread tomasz abramowicz
kevin bailey wrote: hi, was recently rootkitted on a debian machine because i'd left an obscure service running. which one? 2. firewall not i'm not sure about the need for a firewall - i may need to access the server over ssh from anywhere. also, to run FTP doesn't the server need to be abl

Re: hardening checkpoints

2005-12-15 Thread Will Maier
On Thu, Dec 15, 2005 at 12:27:01PM +, kevin bailey wrote: > now i've generally relied on debian issuing security patches but i > thought i should be more proactive RE security. This is very important, as you're now aware. The most secure OS in the world is only as secure as the admin makes it.

Re: hardening checkpoints

2005-12-15 Thread Dale Amon
On Thu, Dec 15, 2005 at 12:27:01PM +, kevin bailey wrote: > 2. firewall > not i'm not sure about the need for a firewall - i may need to access the > server over ssh from anywhere. also, to run FTP doesn't the server need to > be able to open up a varying number of ports. There is a way aroun

hardening checkpoints

2005-12-15 Thread kevin bailey
hi, was recently rootkitted on a debian machine because i'd left an obscure service running. now i've generally relied on debian issuing security patches but i thought i should be more proactive RE security. here's my proposed checklist to carry out for securing a domain server - i.e. one which