Crackers and correlations

Dave Hull dphull at insipid.com
Fri Oct 29 23:03:14 CDT 2004 

Quoting Dustin Decker <dustin.decker at 1on1security.com>:

> > -----Original Message-----
> > From: kclug-bounces at kclug.org [mailto:kclug-bounces at kclug.org] On Behalf
> > Of Brian Densmore

[snip]

> > Keep in mind I'm running on an antique here: Pentium Pro 200 MHz @
> > 40MB RAM w/ ~8 GB of disk.

The last time I used Portsentry which (combined with tcpwrappers or iptables and
smtp service and a bit of shell scripting) will do what you're after, I ran it
on similar hardware under Red Hat 6.x. I didn't notice it taxing the system,
but I was only having it add entries to /etc/hosts.deny. The systems I needed
to get in from were all "whitelisted" in /etc/hosts.allow.

> reactive blocking isn't so much a science as an art.  Any reactive system
> has a tendency, once an attacker has deduced its use, to be a perfect
> denial of service tool.

Excellent point, that's one of the reasons I stopped using it.

Another was, if you're writing code that's going to take user input, it is often
repeated in secure programming literature that you should check the user input
and make sure it's sane, that it fits your application. It is assumed that you
know what valid inputs consist of, they probably aren't things like "' or
1='1". If you get a user input that doesn't fit your expectations, by all means
stop processing it and ask again or disconnect the user, etc.

Shouldn't this same idea apply to services on your system? Say you want to offer
SSH. Unless you're an ISP or something, you shouldn't need to offer SSH access
to any address anywhere. You know what IP ranges you generally operate from,
set your firewall to allow access from IPs within those ranges and deny
everything else.

Add another layer, configure SSH to only allow certain users remote access. By
all means, don't allow root to login remotely. Configure your MaxStartups
accordingly, and so on...

> If you want to get daring, you can look at snort in-line as well.  When
> traffic of a particular type occurs, you can intercept the responses from
> your system (or others hiding behind your snort install) and rewrite them
> on the way out.

I've got to take some time to play with Snort. I didn't know it could do that.
Are there signatures available for common problem traffic?

> Obviously there are pluses and minuses to pretty much everything.

[snip]

> Kerry or Bush - merely illusions of choice.

Nice.

> The same seems to be true of security - short of turning it off and
> locking it away, there is no silver bullet.

I hope you're locking it deep. Bunker busters are hell on computers.

--
Dave Hull
http://insipid.com

More information about the Kclug mailing list