[olug] Security
Brian Wiese
bwiese at cotse.com
Fri Jan 4 20:41:05 UTC 2002
Exactly. Yes Nate, that is how it is done. :) We finally agree.
On Fri, 4 Jan 2002 17:22:21 -0600
David Walker <linux_user at grax.com> wrote:
> That's why the pros run a demilitarized zone. Any host on the internet
is
> considered a security risk and is not allowed free access to your
internal
> network.
>
> Firewall -
> Web server
> Name server
> Mail server
> 2nd level firewall -
> The rest of your network
> (or a slightly different configuration)
> Firewall -
> DMZ Zone
> Web server
> Name server
> Mail server
> The rest of your network Zone
> The rest of your network
>
> Apache has a good security record over the past 4 years so it isn't a
big
> security risk but how you configure it and what scripts you run on it
could
> be risks. Straight html files should be rather non-risky.
>
> I don't run sendmail so I can't really assess the risks but considering
the
> exploits I've heard about I would be wary.
>
> Since SSH is not intended for anonymous use I suggest moving it to a 5
digit
> port where a scanner looking for it on port 22 isn't going to happen
upon it.
> That way if an exploit is released you have a bit more time to upgrade
> before someone finds that you are running an exploitable version.
>
> I'm not comfortable running win2k on the internet without a firewall in
front
> of it.
>
> So, using your number system, I'd say
> Apache 3
> SSH 2
> Sendmail 1
> Win2k 1
>
> On Friday 04 January 2002 04:49 pm, you wrote:
> > Wrong Brian....sorry the Brian I was referring to knows what I'm
talking
> > about...Also I'm glad that this has turned into a decent thread on
> > security...what do we think is the risk factor of a computer whose
only
> > outside access is through SSH...but it still has internal network
access
> > how big of a risk factor is it to the internal network? How about if
that
> > internal network were connected to someone else's private network over
a
> > VPN...would that person have reason to be concerned...as on the flip
side
> > the person running the SSH machine would have cause for concern over a
> > Win2k Server having access to the internal network and thus his over
the
> > VPN....aren't they both equally bad security risks or is one worse
than the
> > other...Then what about running Sendmail, and Apache on a machine
hooked
> > also into the private network where does this fall? I mean can we
really
> > be secure with any external access and where would people rank these
risks
> > 1-3, 1 being the highest risk and 3 being the lowest...here is what I
say:
> > 1) Apache and Sendmail, 2) SSH and 2) Win2k....i say the last two are
lower
> > because of all the exploits for sendmail...but I think SSH and Win2k
are
> > equally bad what do you all think?
> >
> > Thanks,
> > Nate Rotschafer
> >
> >
> > From: "Brian Roberson" <roberson at bstc.net>
> >
> > >Reply-To: olug at bstc.net
> > >To: <olug at bstc.net>
> > >Subject: Re: [olug] Security
> > >Date: Fri, 4 Jan 2002 16:15:57 -0600
> > >
> > >Right! ??!!
> > >
> > > > night/this morning very well I believe...right Brian? Just my
$.02....
> > >
> > >-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> > >
> > >For help contact olug-help at bstc.net - run by ezmlm
> > >to unsubscribe, send mail to olug-unsubscribe at bstc.net
> > >or `mail olug-unsubscribe at bstc.net < /dev/null`
> > >(c)2001 OLUG http://www.olug.org
> > >
> > >-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> >
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.
> >
> >
> > -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
> >
> > For help contact olug-help at bstc.net - run by ezmlm
> > to unsubscribe, send mail to olug-unsubscribe at bstc.net
> > or `mail olug-unsubscribe at bstc.net < /dev/null`
> > (c)2001 OLUG http://www.olug.org
> >
> > -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
>
> -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
>
> For help contact olug-help at bstc.net - run by ezmlm
> to unsubscribe, send mail to olug-unsubscribe at bstc.net
> or `mail olug-unsubscribe at bstc.net < /dev/null`
> (c)2001 OLUG http://www.olug.org
>
> -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
>
>
--
FREEDOM! - Braveheart
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
For help contact olug-help at bstc.net - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at bstc.net
or `mail olug-unsubscribe at bstc.net < /dev/null`
(c)2001 OLUG http://www.olug.org
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
More information about the OLUG
mailing list