| 1 |
First of all, thanks everyone for your replies. I really appreciate |
| 2 |
the help. I'll be testing snort, since it was the most mentioned one. |
| 3 |
|
| 4 |
I'm also going to test bastille. Had a problem emerging psad, one of |
| 5 |
its dependencies. I'll send the error message later. |
| 6 |
|
| 7 |
I made all the tests with nmap to check if the firewall was working |
| 8 |
OK, the results took more from 90 to 150 minutes. And it actually said |
| 9 |
that my Gentoo Server was a Longhorn beta machine and that the SSH |
| 10 |
service was an HTTP proxy. I assume that is a good thing. Not only the |
| 11 |
attacker would have to be very patient, but also the results would be |
| 12 |
confusing. Besides, since it is not replying to ping, some people |
| 13 |
would actually think that the host is down and ignore it. |
| 14 |
|
| 15 |
I used Authforce to test if it would be easy to brute force HTTP |
| 16 |
authentication. It replied that it didn't find any passwords. Again, a |
| 17 |
good thing. |
| 18 |
|
| 19 |
About the Honey Pot. I'll read about it later. My top priority is to |
| 20 |
have a good IDS running. ;) |
| 21 |
|
| 22 |
I need to get all the arguments I can, or else my department's chief |
| 23 |
I'll force me to migrate my Web Application to Java + Corba, and I |
| 24 |
don't want to do that. |
| 25 |
|
| 26 |
He claims that if someone invades my machine, it will have direct |
| 27 |
access to all data. That I have to distribute the database, put it in |
| 28 |
another machine and have the web application access that database over |
| 29 |
the network. I feel this is a bit overkill. Not only it would force |
| 30 |
the data travel through the network, slowing it down, but would also |
| 31 |
increase the complexity of the security layout, forcing to make the |
| 32 |
two machines very secure, unstead of just one of them. Besides, I |
| 33 |
might be wrong, but I feel that a Local Socket is faster and safer |
| 34 |
than Corba trasmitting data over the internal network. |
| 35 |
|
| 36 |
If anybody has any comments, I'd be more than happy to hear it. |
| 37 |
|
| 38 |
2005/8/3, Peter De Zutter <goanookie@×××××.com>: |
| 39 |
> |
| 40 |
> |
| 41 |
> On 8/3/05, Raphael Melo de Oliveira Bastos Sales <raphael.melo21@×××××.com> |
| 42 |
> wrote: |
| 43 |
> > Which IDS system do you recommend? I also need to worry about HTTP |
| 44 |
> > auth brute force. Know any way to stop it from happening? |
| 45 |
> |
| 46 |
> Snort, oinkmaster and ACID, there is a decent guide here . |
| 47 |
> About that http thingy, depends on how critical your apache is. It's worth |
| 48 |
> mentioning the O'Reilly book Linux Server Security. I bought it when I was |
| 49 |
> faced with a the things and problems that involve running a production |
| 50 |
> server. It gives a good general insight in the matter. |
| 51 |
> |
| 52 |
> |
| 53 |
> > I've read about HoneyPots, which I can only assume is a decoy for an |
| 54 |
> > attacker. Anyone knows how to set one up? |
| 55 |
> |
| 56 |
> Never don this before, but a quick google did find a little pdf on how to |
| 57 |
> setup a honeyput on a redhat. |
| 58 |
> Setting Up a Honeypot Using a. Bait and Switch Router , now if only could |
| 59 |
> have some spare time to check it out. It is hard to resist it not to try it. |
| 60 |
> |
| 61 |
> > I have a feeling that there isn't much I can do if a pro actually |
| 62 |
> > tries to break the system. All I can do is avoid the dummies from |
| 63 |
> > doing it as well. |
| 64 |
> |
| 65 |
> That sums it up pretty good. |
| 66 |
> Peter |
| 67 |
> |
| 68 |
> > |
| 69 |
> > 2005/8/3, Willie Wong <wwong@×××××××××.edu >: |
| 70 |
> > > On Tue, Aug 02, 2005 at 09:43:17PM -0400, Colin wrote: |
| 71 |
> > > > Neither is what I was thinking of, but they're quite similar. |
| 72 |
> > > > LoginGraceTime means if nobody logged in within 10 minutes of the |
| 73 |
> > > > connection being opened, then it will be closed. I don't know |
| 74 |
> > > > exactly what MaxAuthTries does, but I imagine after the sixth invalid |
| 75 |
> > > > login, the connection would be closed. |
| 76 |
> > > > |
| 77 |
> > > |
| 78 |
> > > Yes, and if the failure reaches half the number, all further failures |
| 79 |
> > > will be logged. In the case of |
| 80 |
> > > MaxAuthTries 6 |
| 81 |
> > > It means that the first three failures will go unnoticed, the fourth |
| 82 |
> > > through sixth logged, and the connection closes after that. |
| 83 |
> > > |
| 84 |
> > > There is, unfortunately, not an option in sshd_config to allow for the |
| 85 |
> > > behaviour you specified, where after a password failure, the next |
| 86 |
> > > prompt comes up delayed by five seconds. Perhaps if should be put as a |
| 87 |
> > > feature request (=. |
| 88 |
> > > |
| 89 |
> > > Your best bet against brute forcing sshd is |
| 90 |
> > > 1) Not allowing password login at all |
| 91 |
> > > or |
| 92 |
> > > 2) Use some sort of IDS coupled with a firewall rule to block the |
| 93 |
> > > particular host after multiple login failures. But even that |
| 94 |
> > > won't stop a distributed brute force. But then again, if you are |
| 95 |
> > > guarding a system that really demands that much security against |
| 96 |
> > > a determined cracker, you really should consider NOT putting the |
| 97 |
> > > system on the internet. |
| 98 |
> > > or |
| 99 |
> > > 3) Maybe port-knocking? Note that just by running ssh on a |
| 100 |
> > > non-standard port, you probably are avoiding most of the 5|<|21p7 |
| 101 |
> > > kiddie attacks... again, only someone who really wants in on your |
| 102 |
> > > system will take the effort to locate where sshd is listening. |
| 103 |
> > > |
| 104 |
> > > > I found this site, check it out. It's for Red Hat (Gentoo is |
| 105 |
> > > > better!), but it's the same SSHd: |
| 106 |
> > > > http://www.faqs.org/docs/securing/chap15sec122.html |
| 107 |
> > > -- |
| 108 |
> > > It's easy to come up with new ideas; the hard |
| 109 |
> > > part is letting go of what worked for you two |
| 110 |
> > > years ago, but will soon be out of date. |
| 111 |
> > > -- Roger Von Oech |
| 112 |
> > > Sortir en Pantoufles: up 2 days, 9:25 |
| 113 |
> > > -- |
| 114 |
> > > gentoo-user@g.o mailing list |
| 115 |
> > > |
| 116 |
> > > |
| 117 |
> > |
| 118 |
> > -- |
| 119 |
> > gentoo-user@g.o mailing list |
| 120 |
> > |
| 121 |
> > |
| 122 |
> |
| 123 |
> |
| 124 |
> |
| 125 |
> -- |
| 126 |
> I have plenty of common sense, |
| 127 |
> I just choose to ignore it. |
| 128 |
> --- Calvin |
| 129 |
> |
| 130 |
|
| 131 |
-- |
| 132 |
gentoo-user@g.o mailing list |
Archives