Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Tonnerre Lombard (tonnerre.lombardsygroup.ch)
Date: Tue Feb 12 2008 - 06:20:24 CST
On Tue, 12 Feb 2008 03:21:20 -0500, Keith Kilroy wrote:
> Lock down your server so only needed ports are open, move ssh above
> the norm scan range, setup SNORT and learn how to use it, harden and
> update all progz. Check for web app holes.....buffer overflows etc.
While I agree with locking down and checking for vulnerabilities, I
personally think that Snort is snake oil. It hardly ever detected
attacks for me which could have harmed my systems. (There were quite a
bunch of them, but they went mostly unnoticed.)
There are behavior based, autolearning IDS modes, but I've had my
experiences with jumping in public parking lots (which caused terror
alert because the IDS wasn't used to people jumping), so I am quite
sceptic of that as well.
> The only box that is safe is the one unplugged hdd removed and
> destroyed and rest of system locked in a closet.
Apart from the fact that you cannot destroy a hard disk in a way that
makes it unrecoverable (with expensive equipment and time), this is
> Just perform your due diligence and watch and archive your logs.
I agree here; and don't log to syslog on localhost, have a separate
logging host like syslog is intended to be used...
> are targeted at those guys), ever heard of DDOS and botnets. move all
> default ports you can and have their services report different than
> what is really there.
This is security by obscurity. If you just fiddle with the ports which
were open for a second, it is pretty easy to determine which service is
running on it. I see no point at all in all of this port changing.
> If you are detecting the brute force attacks then you can stop them.
Apart from the bandwidth induced, bruteforce attacks are pretty useless
if you have sanely chosen passwords. And in the age of Tengig networks,
the bandwidth penalty is minimal.
> anyway. Just try to stay ahead of the curve. Harden, log, respond. Oh
> yeah be sure to perform your backups, if someone besides a Script
I totally agree to backups though, for various reasons. ;-)
> [Lines of acute paranoia scrapped]
> securing your stuff and monitoring with dynamic blocking that times
> out after a period of time. Rank the attacker when it hits a 5
> blockem for 30 min then if it reoccurs and they achieve a high score
This is pretty useful for various purposes, also for saving bandwidth
used by brute force attackers. But I don't agree to ...
> write. Heck you can even google and download some to get you started.
...using any script Google finds, some have nasty bugs and blacklist
the wrong hosts (e.g. if you set an user name with spaces). You clearly
don't want your DNS server blacklisted, for example.
: No, a RAID1 is not a backup.
Tel:+41 61 333 80 33 GŁterstrasse 86
Fax:+41 61 383 14 67 4053 Basel
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- application/pgp-signature attachment: signature.asc