[olug] Security

[Jeremy Bettis]

I recently learned the hard way about how important this can be.  Here is
how our new setup will be.


Totally Freaking Paranoid Firewall (TFP) - no logons at all except from the
console.  Will run a VPN server and DNS server running inside chroot only.

In DMZ:  the dmz does not allow connections to anywhere, but incoming
connections are allowed from inside network and internet. DMZ machines still
use tcp wrappers/ipchains/etc to protect themselves from each other.
web/ftp/sendmail/sshd - TFP proxies these to this machine

The lesson is, always have a machine that is logging all connections to the
DMZ, so that when your web/ftp/sendmail/sshd/whatever machine gets hacked,
the hacker can't erase the logfiles (DOH!)

Also the DMZ can't access the internet, since the hacker is most likely
going to install DDOS tools or use ftp to add more software to your machine.
If the machine can't get out, it's not as useful.
--
Jeremy Bettis
Software Development Manager
HKS Medical Information Systems.
----- Original Message -----
From: "Brian Wiese" <bwiese at cotse.com>
To: <olug at bstc.net>
Sent: Friday, January 04, 2002 2:41 PM
Subject: Re: [olug] Security


> Exactly. Yes Nate, that is how it is done. :) We finally agree.
>
> On Fri, 4 Jan 2002 17:22:21 -0600
> David Walker <linux_user at grax.com> wrote:
>
> > That's why the pros run a demilitarized zone.  Any host on the internet
> is
> > considered a security risk and is not allowed free access to your
> internal
> > network.
> >
> > Firewall -
> > Web server
> > Name server
> > Mail server
> > 2nd level firewall -
> > The rest of your network
> > (or a slightly different configuration)
> > Firewall -
> > DMZ Zone
> > Web server
> > Name server
> > Mail server
> > The rest of your network Zone
> > The rest of your network
> >
> > Apache has a good security record over the past 4 years so it isn't a
> big
> > security risk but how you configure it and what scripts you run on it
> could
> > be risks.  Straight html files should be rather non-risky.
> >
> > I don't run sendmail so I can't really assess the risks but considering
> the
> > exploits I've heard about I would be wary.
> >
> > Since SSH is not intended for anonymous use I suggest moving it to a 5
> digit
> > port where a scanner looking for it on port 22 isn't going to happen
> upon it.
> >  That way if an exploit is released you have a bit more time to upgrade
> > before someone finds that you are running an exploitable version.
> >
> > I'm not comfortable running win2k on the internet without a firewall in
> front
> > of it.
> >
> > So, using your number system, I'd say
> > Apache 3
> > SSH 2
> > Sendmail 1
> > Win2k 1
> >
> > On Friday 04 January 2002 04:49 pm, you wrote:
> > > Wrong Brian....sorry the Brian I was referring to knows what I'm
> talking
> > > about...Also I'm glad that this has turned into a decent thread on
> > > security...what do we think is the risk factor of a computer whose
> only
> > > outside access is through SSH...but it still has internal network
> access
> > > how big of a risk factor is it to the internal network?  How about if
> that
> > > internal network were connected to someone else's private network over
> a
> > > VPN...would that person have reason to be concerned...as on the flip
> side
> > > the person running the SSH machine would have cause for concern over a
> > > Win2k Server having access to the internal network and thus his over
> the
> > > VPN....aren't they both equally bad security risks or is one worse
> than the
> > > other...Then what about running Sendmail, and Apache on a machine
> hooked
> > > also into the private network where does this fall?  I mean can we
> really
> > > be secure with any external access and where would people rank these
> risks
> > > 1-3, 1 being the highest risk and 3 being the lowest...here is what I
> say:
> > > 1) Apache and Sendmail, 2) SSH and 2) Win2k....i say the last two are
> lower
> > > because of all the exploits for sendmail...but I think SSH and Win2k
> are
> > > equally bad what do you all think?
> > >
> > > Thanks,
> > > Nate Rotschafer
> > >
> > >
> > > From: "Brian Roberson" <roberson at bstc.net>
> > >
> > > >Reply-To: olug at bstc.net
> > > >To: <olug at bstc.net>
> > > >Subject: Re: [olug] Security
> > > >Date: Fri, 4 Jan 2002 16:15:57 -0600
> > > >
> > > >Right! ??!!
> > > >
> > > > > night/this morning very well I believe...right Brian?  Just my
> $.02....
> > > >
> > > >-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> > > >
> > > >For help contact olug-help at bstc.net - run by ezmlm
> > > >to unsubscribe, send mail to olug-unsubscribe at bstc.net
> > > >or `mail olug-unsubscribe at bstc.net < /dev/null`
> > > >(c)2001 OLUG http://www.olug.org
> > > >
> > > >-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> > >
> > > _________________________________________________________________
> > > Get your FREE download of MSN Explorer at
> http://explorer.msn.com/intl.asp.
> > >
> > >
> > > -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> > >
> > > For help contact olug-help at bstc.net - run by ezmlm
> > > to unsubscribe, send mail to olug-unsubscribe at bstc.net
> > > or `mail olug-unsubscribe at bstc.net < /dev/null`
> > > (c)2001 OLUG http://www.olug.org
> > >
> > > -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> >
> > -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> >
> > For help contact olug-help at bstc.net - run by ezmlm
> > to unsubscribe, send mail to olug-unsubscribe at bstc.net
> > or `mail olug-unsubscribe at bstc.net < /dev/null`
> > (c)2001 OLUG http://www.olug.org
> >
> > -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> >
> >
>
>
> --
> FREEDOM!  - Braveheart
>
> -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
>
> For help contact olug-help at bstc.net - run by ezmlm
> to unsubscribe, send mail to olug-unsubscribe at bstc.net
> or `mail olug-unsubscribe at bstc.net < /dev/null`
> (c)2001 OLUG http://www.olug.org
>
> -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
>
>


-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

For help contact olug-help at bstc.net - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at bstc.net
or `mail olug-unsubscribe at bstc.net < /dev/null`
(c)2001 OLUG http://www.olug.org

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_