Home page logo

basics logo Security Basics mailing list archives

Re: big security questions the deny access guy return
From: "John R. Morris" <jrmorris () nerdality com>
Date: Mon, 06 Dec 2004 21:50:04 -0500

Carlos Garcia wrote:

Well am a newbie in this area, but it seems that i have created a really
revolution in the list with my deny access question well as far as i could see you are a great folks that really want to help well i have a lot of question about security so i really need your help

Sure, I'll try to help.

first of all i want to change the services that run in our network i have red hat running in 3 servers one server have the dns1 the other have the dns2 webmail and mail the third one have squid for cache and proxy and an iptables based firewall the last one have the webmail running with zeus on irix so i really wan to make this servers with new services and as secure as posible so first question

about dns what bind do you recomend and how can i protect it i would like to install snort to see if somebody is trying to attack in my server so should i use bind 8 or bind 9 and should i use a chrooted schema or not? what other security risk do i have to address?

Putting bind in a chrooted jail is a good idea. As for versions, use the latest:
Either Bind 9.24 or 9.30 (I recommend 9.24 unless you need the new features from 9.30)

Here's a how-to on running Bind under Linux in a chrooted Jail:

And some good configuration options for securing BIND servers:

Those should give you some ideas as to how best to implement DNS securely at your site, Google can of course turn up many more tutorials and information should those prove insufficient.

about mail i was thinking in using postfix in place of sendmail is this a good idea? for gathering mail i was thinking in cyrus-imap and authentication tools but what would recomend me?

Postfix is easier to administer & configure and has less of a troubled past security-wise than Sendmail. I cut my teeth on Sendmail, and I'm so deeply accustomed to writing m4 macros for it now that I haven't really made the switch, but if you aren't heavily invested in using Sendmail for any reason, it's probably a saner and better choice.

Again, Cyrus-IMAP is good, and puts a lot more effort in my opinion into large scalability issues than UW's implementation, however I prefer UW. Either one, coupled with TLS/SSL for auth all around (both for IMAP and on the MTA side, SMTP+Auth to send is good). Don't forget to add in things Clam AV http://www.clamav.net/ and Spam Assassin, http://spamassassin.apache.org/, grab Procmail while you're at it, too, if it's not included by default, some users just won't feel at home without it.

should i use snor in every server or just one ?
iptables are good enough? and i have a lot more question but can we start with this ones? oh a last one somebody of the list says that it is not a good idea to use the router as firewall is this write? why?

Using snort on every server seems entirely excessive to me. Having snort in place on a SPAN port on it's own server as a central NIDS seems much more effective than using a bunch of instantiations of snort on each host for HIDS. Instead I think it's preferable to use the available IPtables, TCPWrappers, Inetd/Xinetd and so on to secure the box as much as possible from remote access, turn off unneeded services, and then make use of things like tripwire to keep an eye on the local files and so on.

Definitely consider having a central syslog server and logging from all your hosts to there, as well as from your routers & switches. Lire is a great companion to syslog (and other logs as well, like Apache):

Finally, as I was the one (or one of the ones) who said not to use your router as a firewall, I will elaborate a bit: Routers should have ACL rules in place to prevent bogus traffic (RFC 1918 addresses, etc), spoofed addresses pretending to be from your network, etc. That's usually referred to as ingress/egress filtering. In addition, it can also effectively be used to limit some protocols to the LAN or to a given VLAN if desired. Since routers do not in their pure form do any stateful inspection of packets, blocking things in ACL, like high numbered ports is not a good thing to do. A router that does stateful packet inspection has in reality become a firewall as well, and the objection is no longer valid. Here are some references explaining all of this in more detail, and better than I could:

Essentially, yes, you can filter on the router, but it's mostly not stateful (doesn't keep track of the connection state), excepting things like reflexive ACLs. This brings up 2 major issues, 1 is that it is easier to get through a router's ACLs than a full-on firewall, and 2, improper attempts to use a router as a firewall can lead to random network problems.

Example, you block incoming Windows RDP(TCP 3389). Someday you ssh in to a server of yours and your client grabs 3389 (it's higher than 1024 so it's usually not bound unless that host is already using it) to talk on, and voila! you router starts dropping your packets. Now instead of you, imagine it's one of your users, who then complains and has you spend time figuring out why the network is broken. That's my understanding of the issues. So stateless router ACL is limited to services on ports below 1024, and of less total effectiveness and usefulness than a full on IPtables firewall (or PIX, or Checkpoint, etc).

Other than that, my personal preference is to use Debian over Redhat. In any case, make sure all your hosts keep up to date on patches. Irix is quite a nice Unix, but inst is not my favorite package manager, whether you can switch to running a Linux server instead is up to you.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]