Question about file permissions
in [Suse]
|
From: JT on 12 Apr 2010 13:10 On 12/04/10 17:50, houghi wrote: > JT wrote: > >>> What you see is people first do it at home as it is only for them. Then >>> they do it at home, as it is only ther server. The next step is clearly >>> doing it at the office and before you know it, everybody is using a >>> different port. That then means many places will not give you the access >>> you need. >>> >>> >> Actually they will ;-) But on a non-expected port. But you might indeed >> need the port to be right as well, in which case you would be right. ;-) >> > What I mean is that if I am working at company X, they can have ports > filterd, exept for standrd ports. So this means that e.g. 22 is open as > I would need it for SS access for my job. But the SSH server is > configured at 2222 and that port is closed to the outside world. > > So either the comapny opens a port or the other put ssh on the standard > port. I can argue that they need to open a port so I can use a service. > I can not argue to open some random port, because the other party is > lazy. > > Obviously there might be situations where they block and I would need > SSH access. However then it is up to the company what is more importand > to them. Closed port 22 or the SSH access I need to do my work. > > Some make it very hard on themselves and start making all kinds of > difficult configurations where they then open more then they indended. > :-D > > houghi > That's what I meant with: obfuscation != security ;-) -- Kind regards, JT
From: Chris Cox on 12 Apr 2010 15:40 On Mon, 2010-04-12 at 19:10 +0200, JT wrote: .... > That's what I meant with: obfuscation != security ;-) > I think I can pretty much prove that most computer security IS obfuscation. Obfuscation is not a bad thing, it's used for passwords, SSL, SSH, etc.
From: Moe Trin on 12 Apr 2010 15:53 On Sun, 11 Apr 2010, in the Usenet newsgroup alt.os.linux.suse, in article <Uqwwn.50107$iu2.16363(a)newsfe15.iad>, Will Honea wrote: >Moe Trin wrote: >> You could use 'whois' to get a better handle on the number/size >> of ranges. >I've been giving this some thought. Around here Qwest, Comcast, and >Verizon/ATT are the big boys. It depends on where you are. You mention comcast - I know they have a _LOT_ of ranges, including a /8. They allocate blocks within the several states, and regions (I've aware of over 1300 such blocks). Verizon/ATT is about the same. None of the providers allocate addresses in a "convenient" scheme that allows easy filtering. For example: [compton ~]$ grep 'Comcast Cable COLO' address.blocks | tail -5 74.153.0.0 - 74.153.255.255 Comcast Cable COLORADO-CDV-6 76.25.0.0 - 76.25.255.255 Comcast Cable COLORADO-24 76.120.0.0 - 76.120.127.255 Comcast Cable COLORADO-25 98.49.0.0 - 98.49.255.255 Comcast Cable COLORADO-CDV-8 98.245.0.0 - 98.245.255.255 Comcast Cable COLORADO-26 [compton ~]$ >Just what I need - another project. Now we're cutting into fishing >time! Well, you do have to set your priorities correctly. Your best bet may be to look at your logs and see what _valid_ addresses are used, then use 'whois' to see how big that/those specific range[s] is/are. Old guy
From: Moe Trin on 12 Apr 2010 15:54 On Mon, 12 Apr 2010, in the Usenet newsgroup alt.os.linux.suse, in article <slrnhs62lq.99l.houghi(a)penne.houghi>, houghi wrote: >Moe Trin wrote: >>>> 2) Use whitelisting and only allow certain IP adresses and/or ranges. >> I consider both more desirable than the log readers. YMMV. >I do not like the log readers nor do I like the above. BlockHosts uses regular expressions to detect repeated probes into your system, by trying to match the regular expressions to lines in the system log files. That's from the FAQ. This is from the README Block IP Addresses based on login or access information in system logs. Or have you found some other application named 'BlockHosts'? >> It's slightly less of a performance hit doing it that way than >> individually listing each "bad" IP address in your firewall. Ever >> think about how many CPU cycles you're wasting wading through that >> long list of "bad" addresses? (A ten minute block time is more than >> enough to deter the 'bot or skript kiddiez.) >Long list? Each time I look I see about 5 IP adresses blocked (and 6 >in the allow list) To me that is better then having a crontab running >every 10 minutes when there was no attack, so running it useless or >waiting 10 minutes while I recieve an attack. The bad guy attempts a login and fails. That failure data is put into the system logs. Blockhost (and the other similar ``tools'') looks at the logs during it's chunk of CPU time, and on seeing the failure message, puts a block line into /etc/hosts.deny (most log-readers) and/or creates a host block rule in the firewall (some log-readers). Some of these "Self Denial Of Service Attack" tools make the entry permanent - some run a separate 'remove the rule after NN time' function. By the way, did you check your crontabs to see that Blockhost isn't using cron for some functions? It's in the docs. >> White listing is the same as moving the port. It is not a substitute >> for authentication. It reduces the number of attempts. >With whitelisting I mean you whitelist some very few IP adresses, like >the one from your work, one from your providers ssh server, one from >your moms place. Not ading all the IP ranges of all European countries. My firewall allows _inbound_ access from a /22 and two /24s "outside" or a total of 1530 addresses, because I can't see any reason to allow connections from you or anyone else that I haven't approved in advance, and I really don't expect authorized users to be connecting from Kazakhstan, Kenya, Kiribati, Korea, or Kuwait or a lot of other places either. Lest someone from those countries object, I also don't allow access from nearly all ISPs in North America. >> Be careful about using high ports. Many places block _outbound_ >> access to what they consider "non-standard" ports. At work, the >> users are allowed access to _very_few_ ports, because management >> has decreed that the users have no need to access those ports. You >> may also find places put a proxy between you and the world for the >> same reason. Choosing low port numbers OTHER THAN 20-25 and >> such _may_ offer a better chance of connecting. >And that is why I leave it at 22, among other reasons. I moved it several years ago - no problems. I really don't care if others have a problem connecting to my system. Those I want/allow to connect know about the non-standard port. The skript kiddiez and 'bots may try to connect to 22/tcp, and as nothing is there, they move on to some other easy target. >To me BlockHosts is great against polution of your logfiles. If you're happy with it - that's fine. Moving the port, and severely restricting the address range is just as easy. In the rare event that I need to connect from a non-pre-approved IP, I can use a variation of port knocking - I attempt to connect to (closed) port ZZ. The firewall sees that attempt, and momentarily opens port YY for that address. If login/authentication fails, it's no worse than before, but I don't have that noise in the logs either. Old guy
From: Ulick Magee on 12 Apr 2010 16:10
Chris Cox wrote: > On Mon, 2010-04-12 at 19:10 +0200, JT wrote: > .... >> That's what I meant with: obfuscation != security ;-) >> > > I think I can pretty much prove that most computer > security IS obfuscation. Obfuscation is not a bad thing, > it's used for passwords, SSL, SSH, etc. Obfuscation isn't the same thing as 'security by obscurity' which IS a bad thing. Obfuscation would be picking a memorable word/phrase for a password and then changing characters, etc. so it is no longer vulnerable to a dictionary attack. Done right it can be nearly as secure as a fully random password, while still being memorable. SBO would be allowing someone who knows the right IP address and port to get in with no password or a very weak one (not realising that ports can be scanned, etc.) Obfuscation is like getting a better lock fitted to your front door. Security by obscurity is like putting the key under the doormat and hoping nobody thinks to look there. -- Ulick Magee Free software and free formats for free information for free people. Open Office for Windows/OSX/Linux: http://www.openoffice.org openSUSE Linux: http://en.opensuse.org |