| Darxus on Mon, 4 Mar 2002 23:43:49 -0500 |
|
On 03/04, Jon Galt wrote: > With all my machines behind a linksys router, I would think what I need to > port scan is the linksys router on the WAN side, although I'm not sure how > to do this, unless it would be to unplug from the DSL modem and plug a > computer in place of it and scan from there. I don't think it's possible > to run nmap from within my LAN and scan the WAN side of the router, or is > it? Nope. You still want to portscan your server, from outside, *through* your router, to see what people would see from outside. Well, I guess if the only access to your server is ports forwarded from your router, then yes, you would portscan the IP of your router. If you would like me to portscan it for you, let me know in private and I'd be happy to - you're posting from the address which is listed as the admin and billing contact for the domain, so I figure you're sufficiently authoritative to request this. > Thank you, I already see security advisories, at linuxsecurity.com. Do > you have an opinion on SWUP? No. > > A good step to take is to remove all software that you don't need. Any > > program that is on the system is another possible security vulnerability. > > Is this still true with the Linksys router (BEFSR41) in place? One thing > I'm sure I should do is keep the Firmware up to date on the router. I don't think it's a step many people actually take, except possibly in the case of dedicated firewall machines. But yes, it is always helpful. If an intruder manages to get non-root shell access to your box, he could use another exploit in any installed application to gain root access. Having a router which is forwarding only authorized ports and firewalling everything else doesn't make you invulnerable. An exploit could be discovered in the latest version of apache - which you have given the entire world access to via the forwarded port 80. Two of the things that are very useful for securing servers are chrooting and chownig the application. chrooting is telling the application that a particular directory is actually the root of the filesystem, and not allowing it any access to any files outside of that directory, so if an exploit is used against it, only files within the chroot jail can be touched. chowning is running the application as a non-root user, which would mean if an exploit is used against the application, they will only get userlevel access instead of root level access. Chowining is common for a bunch of stuff, and chrooting is common for bind/dns, but I am wondering why chrooting apache isn't more common. I guess for the number of people that make user/public_html work as http://hostname/~user. But since I don't, it makes sense for me to chroot apache. > In my router logs, I notice a lot of attempted accesses of various ports, > one port (137) repeatedly attempted from 207.217.77.82. Since that port > (the Netbios SMB service) is not forwarded anywhere, I should be OK wrt to > that, right? There are others as well, and I'm guessing that anything > other than 80 (http), 25 (smtp), and 22 (ssh) should not constitute a > security risk...? Yeah, if you see connection attempts on ports you've got blocked, don't worry about it. You may want to look into http://www.dshield.org/ - they collect firewall logs and attempt to do useful things with them. -- "I would believe only in a God that knows how to Dance." - Nietzsche http://www.ChaosReigns.com Attachment:
pgpxC9vaYFKS7.pgp
|
|