[XCSSA] Security advice
Ben Floyd
dataplex17@hotmail.com
Thu, 31 Jan 2002 09:27:19 -0600
>That's good... don't do a "UseProtocol 2,1" as many suggest.
There is an effective root compromising exploit against both SSH1 and SSH2
floating around the blackhat circles right now that I've heard about. I
don't have source code for it, but I'm sure it will come up sometimes. My
suggestion is to do host based allowances only and block everyone else. My
own firewall only allows SSH in from places that I know and trust. While
this isn't totally 100% effective (my friend gets rooted -> I get rooted),
it will help narrow down the list of possible attacks.
> > I have been advised that using IPchains is vulnerable to outside
>attacks.
> > Is this true? I know that SSH and HTTP are vulnerable, but how can you
> > hack a port that doesn't respond in the first place?
>Well.. I don't know about a vulnerability in the stack or ipchains
>kern.mod... didn't see anything on CERT. But depending on how ipchains
>is implemented, you can self inflict a DoS attack out of a simple
>stealth SYN attack (I've seen this happen).
I thought I saw something on bugtraq a while back about vulnerabilities n
the 2.2 kernel tcp stack? My suggestion would be to upgrade to 2.4 and
implement iptables, which has a lot better inspection and logging routines
built into it. My own firewall does drops all connections (it does not deny
because I have been DoSed this way before) to ports I don't allow into (my
default rule is to DROP and then I allow connections to www, ssh2(from
trusted hosts only!), and identd(I'm an IRC junkie ;)).
>For example, if someone pours SYNs at your box (to try to slow it down
>or DoS it) or hits randomports, and you have your ipchains set to
>respond to tightly (to block out various types of unwanted incoming
>traffic); then by closing off random (stealth) IPs, you slowly mask out
>large segments of the internet from getting to your box.
> > I'm open to suggestions on what I need to make sure that this router
> > stays (more or less) secure.
snort! snort can be set up to recognize known attacks and deny based on
that, and also comes w/ a very nice logging system. It catches a lot of
stuff that otherwise might go unnoticed as an attack by a simple ipchains
configuration.
>Unless someone else knows something more to watch out for with ipchains
>configs, that's all that comes to mind for me.
>
>
>Tweeks
>
>
> > I knw that just having a public IP address
> > is bad enough to get hacked but I would like more info on this matter.
> >
> > Thanks!
> >
> > --
> > FIRESTORM_v1
> > "Partnership for an idiot-free America"
> > http://www.theratshack.net
> > http://lanparty.theratshack.net (One >NEW< lan party)
> >
> > _______________________________________________
> > XCSSA mailing list
> > XCSSA@xcssa.org
> > http://xcssa.org/mailman/listinfo/xcssa
>_______________________________________________
>XCSSA mailing list
>XCSSA@xcssa.org
>http://xcssa.org/mailman/listinfo/xcssa
_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com