User forum design
in [Embedded]
|
Prev: E1 stream and spartan 3E
Next: Watermarking
From: MooseFET on 11 Apr 2010 12:11 On Apr 10, 1:31 pm, David Brown <david.br...(a)hesbynett.removethisbit.no> wrote: [....] I'm going to add a few comments. > Second, make sure that the server has the minimal amount of data, no > clear-text passwords, no financial or other compromising data, and > minimal access to other systems on your network. This limits your risks > if you /do/ get broken into. Also if you have other Windows machines on the network, place another firewall in the system so that they can't be the source of the attack. A user can have a virus which does anything. If the user can post your valuable information, so can a virus. > Third, make sure you have strong passwords, disable root logins (thus an > attacker needs to guess user names as well as passwords), and move > remote access (such as ssh) to a non-standard port. Make your email names different from the login names so that someone who has received an email won't know the login name for that person. [....] > Fifth, don't run any unnecessary software on the server. A web server > has no need for a windowing system or application software. I would have put the fifth earlier because it is so important. > In your case, you are not going to get DOS'ed - you are not big enough > to be of the slightest interest to attackers. You are not going to be > attacked by anyone serious - you have nothing worth stealing. (I say > this with complete confidence - if you /were/ big enough to be a target, > you would have hired professionals to do the job.) You can get attacked just by someone trying ideas out or teenagers. Teenagers may not know a lot but they often have lots of time to try out different ideas.
From: David Brown on 11 Apr 2010 14:35 MooseFET wrote: > On Apr 10, 1:31 pm, David Brown > <david.br...(a)hesbynett.removethisbit.no> wrote: > [....] > I'm going to add a few comments. > >> Second, make sure that the server has the minimal amount of data, no >> clear-text passwords, no financial or other compromising data, and >> minimal access to other systems on your network. This limits your risks >> if you /do/ get broken into. > > Also if you have other Windows machines on the network, place another > firewall in the system so that they can't be the source of the attack. > A user can have a virus which does anything. If the user can post > your valuable information, so can a virus. > True enough - and you should therefore never let outside windows machines onto your network. The only time our company ever suffered from a worm was when someone had taken a laptop from home and attached it to our network (breaking my rules to do so). The irony is that they wanted to use our fast internet connection to download an update to protect against said worm. I find that having the firewall block all outgoing smtp traffic (except from your internal mail server to your ISP's relay), with an alert system for attempted smtp connections, is a quick way to find most malware and to limit its damage. > >> Third, make sure you have strong passwords, disable root logins (thus an >> attacker needs to guess user names as well as passwords), and move >> remote access (such as ssh) to a non-standard port. > > Make your email names different from the login names so that > someone who has received an email won't know the login name for that > person. > That can be a good idea when you need higher security. But the majority of attackers don't know anything about you except your ip address - they will try common names such as "root" and "Administrator". It's a different matter with directed attacks, in which case the attacker will likely research some email addresses as likely login names. > [....] > >> Fifth, don't run any unnecessary software on the server. A web server >> has no need for a windowing system or application software. > > I would have put the fifth earlier because it is so important. > It is indeed important, but I didn't want to try to give an ordering. This is only a few general points - the priority will depend on the circumstances. > >> In your case, you are not going to get DOS'ed - you are not big enough >> to be of the slightest interest to attackers. You are not going to be >> attacked by anyone serious - you have nothing worth stealing. (I say >> this with complete confidence - if you /were/ big enough to be a target, >> you would have hired professionals to do the job.) > > You can get attacked just by someone trying ideas out or teenagers. > Teenagers may not know a lot but they often have lots of time to try > out different ideas. > I always consider teenagers to be the most dangerous of users!
From: MooseFET on 12 Apr 2010 22:58 On Apr 11, 11:35 am, David Brown <david.br...(a)hesbynett.removethisbit.no> wrote: > MooseFET wrote: > > On Apr 10, 1:31 pm, David Brown > > <david.br...(a)hesbynett.removethisbit.no> wrote: [....] > > True enough - and you should therefore never let outside windows > machines onto your network. The only time our company ever suffered > from a worm was when someone had taken a laptop from home and attached > it to our network (breaking my rules to do so). The irony is that they > wanted to use our fast internet connection to download an update to > protect against said worm. The last time I tried, Microsoft would not let you download the update with a virus free machine and then copy the file onto the down rev version of Windoz. You have no choice put to connect the down-rev machine to the outside world and let all the squirmy things get in while it tries to get updated to keep them out. I may hold the record for the fastest infection of an XP machine. It was a new Dell. I connected it to the network and it was a goner before I finished getting it registered. For a short while I had two PCs in my office somewhere I have the picture of the Dell in a garbage can in front of the IT guys office door. That is how I returned it to him. I run Windows 98 in a virtual machine that has no network access. It is a real pigs breakfast but for the few Windoz things I must do, it is a good option. Unfortunately you can't run XP that way because it locks up if it can't phone home or something. My wife keeps here Windows machine fully updated with all the latest virus blockers etc. Just to be safe, I reboot it in Linux from time to time and copy all the important information onto an external drive. It is a good thing I've done that. [....] > >> Third, make sure you have strong passwords, disable root logins (thus an > >> attacker needs to guess user names as well as passwords), and move > >> remote access (such as ssh) to a non-standard port. > > > Make your email names different from the login names so that > > someone who has received an email won't know the login name for that > > person. > > That can be a good idea when you need higher security. But the majority > of attackers don't know anything about you except your ip address - they > will try common names such as "root" and "Administrator". It's a > different matter with directed attacks, in which case the attacker will > likely research some email addresses as likely login names. I was thinking about an attack from someone who had a spam email address list. The user name and company name can be parsed out.
From: Michael A. Terrell on 12 Apr 2010 23:21 MooseFET wrote: > > I may hold the record for the fastest infection of an XP machine. It > was a new Dell. I connected it to the network and it was a goner > before I finished getting it registered. For a short while I had two > PCs in my office somewhere I have the picture of the Dell in a > garbage can in front of the IT guys office door. That is how I > returned it to him. If you were on a corporate network and that happened, they need to fire the entire IT department. -- Lead free solder is Belgium's version of 'Hold my beer and watch this!'
From: Vladimir Vassilevsky on 12 Apr 2010 23:30
Michael A. Terrell wrote: > MooseFET wrote: > >>I may hold the record for the fastest infection of an XP machine. It >>was a new Dell. I connected it to the network and it was a goner >>before I finished getting it registered. For a short while I had two >>PCs in my office somewhere I have the picture of the Dell in a >>garbage can in front of the IT guys office door. That is how I >>returned it to him. > > > > If you were on a corporate network and that happened, they need to > fire the entire IT department. You should apply common sense to the horror stories that linux fans are telling about Windows XP. VLV |