On Wed, 2004-06-09 at 03:32, Sagara Wijetunga wrote: > > Here I have almost no choice, just have budget for one > server :( That's what I figured. Thus the info I included at the end of my post. > > > 17. /sbin/iptables -P OUTPUT ACCEPT > > > Could you elaborate this a bit? What are the possible > outbound transports and what are the possible > solutions? This rule permits any outbound session establishment. This means if an attacker can exploit one of your exposed services they can use anything they want (HTTP, FTP, TFTP, etc. etc.) as an outbound session to transfer a toolkit/rootkit. A better solution may be to only permit the types of outbound access that you actually need to support (outbound DNS, SMTP, etc.). > Our intension to host the server in a data center. Our > server is not required to act as a client other than > receiving mail from other STMP servers. We do not even > offer recursive DNS. Is the SMTP, the client service > that you refer? By "client services" I was referring to the rule above that permits all outbound traffic. Sorry I was not clear. Typically with a server you only permit the types of outbound access that you know you will need to support. I was assuming that the box was going to act as someone's desktop because of the "permit anything outbound" rule. > Could you kindly elaborate payload based attacks? Is > it the packet rate per second? And what are the > possible solutions for payload based attacks? iptables controls traffic at the header level (IP address, port numbers, transport, etc.). So while you can use iptables to ensure that only TCP/80 traffic reaches your Web server, this does not protect you against someone launching an HTTP based attack through port TCP/80. Sure you can use "--string" to match on payload, but unless you define every possible attack pattern and ensure that people never fragment their data stream its not going to be effective. To protect against payload based attacks you need to use a proxy. Squid is an excellent example of software you can run to help protect a Web server from payload based attacks (especially if run Jean on top of Squid). Of course the problem is you only have one box to work with so trying to proxy every service is not going to happen. This is one of the risks you are going to have to live with because of the design. :( > > Some other things you could do to mitigate this > > risk: > > Setup an automatic patching system > > Setup Tripwire or Aide to check system integrity > > Setup another system to collect the logs off of this > > system > > Setup Swatch or a similar tool to check these logs > > Setup an IDS > > > Could you point me to learn more into above setup > subjects? Some additional reading you might find helpful: http://www.novell.com/products/desktop/update.html http://sourceforge.net/projects/aide http://www.loganalysis.org/ http://www.snort.org/ HTH, Chris
