[olug] Security

Brian Wiese bwiese at cotse.com
Fri Jan 4 20:41:05 UTC 2002 

Exactly. Yes Nate, that is how it is done. :) We finally agree.

On Fri, 4 Jan 2002 17:22:21 -0600
David Walker <linux_user at grax.com> wrote:

> That's why the pros run a demilitarized zone.  Any host on the internet
is 
> considered a security risk and is not allowed free access to your
internal 
> network.
> 
> Firewall -
> 	Web server
> 	Name server
> 	Mail server
> 	2nd level firewall -
> 		The rest of your network
> (or a slightly different configuration)
> Firewall -
> 	DMZ Zone
> 		Web server
> 		Name server
> 		Mail server
> 	The rest of your network Zone
> 		The rest of your network
> 
> Apache has a good security record over the past 4 years so it isn't a
big 
> security risk but how you configure it and what scripts you run on it
could 
> be risks.  Straight html files should be rather non-risky.
> 
> I don't run sendmail so I can't really assess the risks but considering
the 
> exploits I've heard about I would be wary.
> 
> Since SSH is not intended for anonymous use I suggest moving it to a 5
digit 
> port where a scanner looking for it on port 22 isn't going to happen
upon it. 
>  That way if an exploit is released you have a bit more time to upgrade 
> before someone finds that you are running an exploitable version.
> 
> I'm not comfortable running win2k on the internet without a firewall in
front 
> of it.
> 		
> So, using your number system, I'd say 
> Apache 	3
> SSH		2
> Sendmail	1
> Win2k		1
> 
> On Friday 04 January 2002 04:49 pm, you wrote:
> > Wrong Brian....sorry the Brian I was referring to knows what I'm
talking
> > about...Also I'm glad that this has turned into a decent thread on
> > security...what do we think is the risk factor of a computer whose
only
> > outside access is through SSH...but it still has internal network
access
> > how big of a risk factor is it to the internal network?  How about if
that
> > internal network were connected to someone else's private network over
a
> > VPN...would that person have reason to be concerned...as on the flip
side
> > the person running the SSH machine would have cause for concern over a
> > Win2k Server having access to the internal network and thus his over
the
> > VPN....aren't they both equally bad security risks or is one worse
than the
> > other...Then what about running Sendmail, and Apache on a machine
hooked
> > also into the private network where does this fall?  I mean can we
really
> > be secure with any external access and where would people rank these
risks
> > 1-3, 1 being the highest risk and 3 being the lowest...here is what I
say: 
> > 1) Apache and Sendmail, 2) SSH and 2) Win2k....i say the last two are
lower
> > because of all the exploits for sendmail...but I think SSH and Win2k
are
> > equally bad what do you all think?
> >
> > Thanks,
> > Nate Rotschafer
> >
> >
> > From: "Brian Roberson" <roberson at bstc.net>
> >
> > >Reply-To: olug at bstc.net
> > >To: <olug at bstc.net>
> > >Subject: Re: [olug] Security
> > >Date: Fri, 4 Jan 2002 16:15:57 -0600
> > >
> > >Right! ??!!
> > >
> > > > night/this morning very well I believe...right Brian?  Just my
$.02....
> > >
> > >-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> > >
> > >For help contact olug-help at bstc.net - run by ezmlm
> > >to unsubscribe, send mail to olug-unsubscribe at bstc.net
> > >or `mail olug-unsubscribe at bstc.net < /dev/null`
> > >(c)2001 OLUG http://www.olug.org
> > >
> > >-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> >
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.
> >
> >
> > -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> >
> > For help contact olug-help at bstc.net - run by ezmlm
> > to unsubscribe, send mail to olug-unsubscribe at bstc.net
> > or `mail olug-unsubscribe at bstc.net < /dev/null`
> > (c)2001 OLUG http://www.olug.org
> >
> > -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> 
> -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> 
> For help contact olug-help at bstc.net - run by ezmlm
> to unsubscribe, send mail to olug-unsubscribe at bstc.net
> or `mail olug-unsubscribe at bstc.net < /dev/null`
> (c)2001 OLUG http://www.olug.org
> 
> -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> 
> 


-- 
FREEDOM!  - Braveheart

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

For help contact olug-help at bstc.net - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at bstc.net
or `mail olug-unsubscribe at bstc.net < /dev/null`
(c)2001 OLUG http://www.olug.org

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

More information about the OLUG mailing list