1 |
First of all, thanks everyone for your replies. I really appreciate |
2 |
the help. I'll be testing snort, since it was the most mentioned one. |
3 |
|
4 |
I'm also going to test bastille. Had a problem emerging psad, one of |
5 |
its dependencies. I'll send the error message later. |
6 |
|
7 |
I made all the tests with nmap to check if the firewall was working |
8 |
OK, the results took more from 90 to 150 minutes. And it actually said |
9 |
that my Gentoo Server was a Longhorn beta machine and that the SSH |
10 |
service was an HTTP proxy. I assume that is a good thing. Not only the |
11 |
attacker would have to be very patient, but also the results would be |
12 |
confusing. Besides, since it is not replying to ping, some people |
13 |
would actually think that the host is down and ignore it. |
14 |
|
15 |
I used Authforce to test if it would be easy to brute force HTTP |
16 |
authentication. It replied that it didn't find any passwords. Again, a |
17 |
good thing. |
18 |
|
19 |
About the Honey Pot. I'll read about it later. My top priority is to |
20 |
have a good IDS running. ;) |
21 |
|
22 |
I need to get all the arguments I can, or else my department's chief |
23 |
I'll force me to migrate my Web Application to Java + Corba, and I |
24 |
don't want to do that. |
25 |
|
26 |
He claims that if someone invades my machine, it will have direct |
27 |
access to all data. That I have to distribute the database, put it in |
28 |
another machine and have the web application access that database over |
29 |
the network. I feel this is a bit overkill. Not only it would force |
30 |
the data travel through the network, slowing it down, but would also |
31 |
increase the complexity of the security layout, forcing to make the |
32 |
two machines very secure, unstead of just one of them. Besides, I |
33 |
might be wrong, but I feel that a Local Socket is faster and safer |
34 |
than Corba trasmitting data over the internal network. |
35 |
|
36 |
If anybody has any comments, I'd be more than happy to hear it. |
37 |
|
38 |
2005/8/3, Peter De Zutter <goanookie@×××××.com>: |
39 |
> |
40 |
> |
41 |
> On 8/3/05, Raphael Melo de Oliveira Bastos Sales <raphael.melo21@×××××.com> |
42 |
> wrote: |
43 |
> > Which IDS system do you recommend? I also need to worry about HTTP |
44 |
> > auth brute force. Know any way to stop it from happening? |
45 |
> |
46 |
> Snort, oinkmaster and ACID, there is a decent guide here . |
47 |
> About that http thingy, depends on how critical your apache is. It's worth |
48 |
> mentioning the O'Reilly book Linux Server Security. I bought it when I was |
49 |
> faced with a the things and problems that involve running a production |
50 |
> server. It gives a good general insight in the matter. |
51 |
> |
52 |
> |
53 |
> > I've read about HoneyPots, which I can only assume is a decoy for an |
54 |
> > attacker. Anyone knows how to set one up? |
55 |
> |
56 |
> Never don this before, but a quick google did find a little pdf on how to |
57 |
> setup a honeyput on a redhat. |
58 |
> Setting Up a Honeypot Using a. Bait and Switch Router , now if only could |
59 |
> have some spare time to check it out. It is hard to resist it not to try it. |
60 |
> |
61 |
> > I have a feeling that there isn't much I can do if a pro actually |
62 |
> > tries to break the system. All I can do is avoid the dummies from |
63 |
> > doing it as well. |
64 |
> |
65 |
> That sums it up pretty good. |
66 |
> Peter |
67 |
> |
68 |
> > |
69 |
> > 2005/8/3, Willie Wong <wwong@×××××××××.edu >: |
70 |
> > > On Tue, Aug 02, 2005 at 09:43:17PM -0400, Colin wrote: |
71 |
> > > > Neither is what I was thinking of, but they're quite similar. |
72 |
> > > > LoginGraceTime means if nobody logged in within 10 minutes of the |
73 |
> > > > connection being opened, then it will be closed. I don't know |
74 |
> > > > exactly what MaxAuthTries does, but I imagine after the sixth invalid |
75 |
> > > > login, the connection would be closed. |
76 |
> > > > |
77 |
> > > |
78 |
> > > Yes, and if the failure reaches half the number, all further failures |
79 |
> > > will be logged. In the case of |
80 |
> > > MaxAuthTries 6 |
81 |
> > > It means that the first three failures will go unnoticed, the fourth |
82 |
> > > through sixth logged, and the connection closes after that. |
83 |
> > > |
84 |
> > > There is, unfortunately, not an option in sshd_config to allow for the |
85 |
> > > behaviour you specified, where after a password failure, the next |
86 |
> > > prompt comes up delayed by five seconds. Perhaps if should be put as a |
87 |
> > > feature request (=. |
88 |
> > > |
89 |
> > > Your best bet against brute forcing sshd is |
90 |
> > > 1) Not allowing password login at all |
91 |
> > > or |
92 |
> > > 2) Use some sort of IDS coupled with a firewall rule to block the |
93 |
> > > particular host after multiple login failures. But even that |
94 |
> > > won't stop a distributed brute force. But then again, if you are |
95 |
> > > guarding a system that really demands that much security against |
96 |
> > > a determined cracker, you really should consider NOT putting the |
97 |
> > > system on the internet. |
98 |
> > > or |
99 |
> > > 3) Maybe port-knocking? Note that just by running ssh on a |
100 |
> > > non-standard port, you probably are avoiding most of the 5|<|21p7 |
101 |
> > > kiddie attacks... again, only someone who really wants in on your |
102 |
> > > system will take the effort to locate where sshd is listening. |
103 |
> > > |
104 |
> > > > I found this site, check it out. It's for Red Hat (Gentoo is |
105 |
> > > > better!), but it's the same SSHd: |
106 |
> > > > http://www.faqs.org/docs/securing/chap15sec122.html |
107 |
> > > -- |
108 |
> > > It's easy to come up with new ideas; the hard |
109 |
> > > part is letting go of what worked for you two |
110 |
> > > years ago, but will soon be out of date. |
111 |
> > > -- Roger Von Oech |
112 |
> > > Sortir en Pantoufles: up 2 days, 9:25 |
113 |
> > > -- |
114 |
> > > gentoo-user@g.o mailing list |
115 |
> > > |
116 |
> > > |
117 |
> > |
118 |
> > -- |
119 |
> > gentoo-user@g.o mailing list |
120 |
> > |
121 |
> > |
122 |
> |
123 |
> |
124 |
> |
125 |
> -- |
126 |
> I have plenty of common sense, |
127 |
> I just choose to ignore it. |
128 |
> --- Calvin |
129 |
> |
130 |
|
131 |
-- |
132 |
gentoo-user@g.o mailing list |