Hi, List. I have a question regarding the setup of our Webserver, well actually two. Is there a save way other than sftp/scp to let people update their webpages? Clients are using lots of Windows-Computers. After an Intrusion last week we don't like the idea anymore, that people use ftp to put their pages on the server. Does it make sense, with our setup, to use SuSE Firewall at all? Setup is : WWW---->FW---->(eth0) Webserver (eth1)<--->LAN ^ | ^ |------------------------v-----------------| Weird, I know. Incomming Traffic will go throug FW, but outgoing not. The Webserver-machine runs two instances of apache, to serve the www-pages and the local www-pages. That's the reason for the two NIC's. But by design we have to look at both NIC's as hostile Networks, because any computer is connected any time to the Inter- net (University). If using the Firewall, how would a setup look like? Or better IPChains? And what would the Rules be ? We are serving only ports 80, 443, and 22 (http, https, ssh) to the "outside" and at the moment to the "inside" also. If people would insist to use ftp from inside, what then ? Thanks in advance, A. Meinerzhagen
Hi A.M. On 2001.09.08 15:17:46 +0100 A. Meinerzhagen wrote:
Hi, List.
Is there a save way other than sftp/scp to let people update their webpages? Clients are using lots of Windows-Computers. After an Intrusion last week we don't like the idea anymore, that people use ftp to put their pages on the server.
Can't think of anything easy... are all your users going to update from inside your LAN, or do thay have to update over the internet? One soloution I have seen to this problem is a temporary FTP password : something like 1. you email the server, 2. a pasword is generated and is only valid for one hour 3. password emailed back to the user. Not great, but cracker has less time when she can intrude your box.
Does it make sense, with our setup, to use SuSE Firewall at all? Setup is :
IMHO, it nearly always makes sense to firewall - layers of security make it harder for a bad guy to get anywhere even if he breaks into one box...
WWW---->FW---->(eth0) Webserver (eth1)<--->LAN ^ | ^ |------------------------v-----------------|
Weird, I know. Incomming Traffic will go throug FW, but outgoing not.
The Webserver-machine runs two instances of apache, to serve the www-pages and the local www-pages. That's the reason for the two NIC's. But by design we have to look at both NIC's as hostile Networks, because any computer is connected any time to the Inter- net (University). If using the Firewall, how would a setup look like? Or better IPChains? And what would the Rules be ? We are serving only ports 80, 443, and 22 (http, https, ssh) to the "outside" and at the moment to the "inside" also. If people would insist to use ftp from inside, what then ?
I'm not sure how you gain anything by having 2 NICs on the same LAN, to my eyes, you seem to be making things too complicated... If you are using kernel 2.4.x, try iptables - it is more flexible than ipchains SuSE firewall basically makes rules for ipchains / iptables so one isn't "better" than the other, they use different ways to do the same thing. Given your unusual set-up (but fairly simple needs), I think you would be better to roll your own using iptables (sorry, Marc ;-) ) Have a look at the HOWTO at http://netfilter.samba.org for some iptables ideas. HTH, Maf.
Thanks in advance, A. Meinerzhagen
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "It is easier to do a job right than to explain why you didn't." - Martin Van Buren ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hi, List.
Is there a save way other than sftp/scp to let people update their webpages? Clients are using lots of Windows-Computers. After an Intrusion last week we don't like the idea anymore, that people use ftp to put their pages on the server.
You could use WebDAV to avoid FTP, for example
Does it make sense, with our setup, to use SuSE Firewall at all? Setup is :
Any server on the Internet should ALWAYS be protected by a firewall. Even if you use a properly configured firewall, this is only one aspect of a good security concept, but if you do not use one at all, FTP is certainly not your only problem... There are just too many unprotected servers on the Internet. Please do do not add one more... Robert
On 8 Sep 01, at 14:17, A. Meinerzhagen wrote:
Is there a save way other than sftp/scp to let people update their webpages?
WebDAV over https. mfg ar -- mailto:andreas@rittershofer.de http://www.rittershofer.de PGP-Public-Key http://www.rittershofer.de/ari.htm
Hello A. As to the FTP question. If you are running an ssh deamon, you can shut the ftp-port and tell everybody that has business on your webserver where to domnload a programme like WinSCP (google WinSCP will show where to get this particular programme), which makes it fairly easy to upload the stuff they want to share with the world. WinSCP even looks like your regular FTP windows client, so I do suspect that resistence will not be very strong. Yours, Ruben Konig "A. Meinerzhagen" wrote:
Hi, List.
I have a question regarding the setup of our Webserver, well actually two.
Is there a save way other than sftp/scp to let people update their webpages? Clients are using lots of Windows-Computers. After an Intrusion last week we don't like the idea anymore, that people use ftp to put their pages on the server.
Does it make sense, with our setup, to use SuSE Firewall at all? Setup is :
WWW---->FW---->(eth0) Webserver (eth1)<--->LAN ^ | ^ |------------------------v-----------------|
Weird, I know. Incomming Traffic will go throug FW, but outgoing not.
The Webserver-machine runs two instances of apache, to serve the www-pages and the local www-pages. That's the reason for the two NIC's. But by design we have to look at both NIC's as hostile Networks, because any computer is connected any time to the Inter- net (University). If using the Firewall, how would a setup look like? Or better IPChains? And what would the Rules be ? We are serving only ports 80, 443, and 22 (http, https, ssh) to the "outside" and at the moment to the "inside" also. If people would insist to use ftp from inside, what then ?
Thanks in advance, A. Meinerzhagen
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- Ruben Konig Communicatiewetenschap Katholieke Universiteit Nijmegen prive email adres r.konig@mailbox.kun.nl ruben@dromedaris.net
Hi all, i recognized a strange (?) behavior of IPCHAINS toward dynamic DNS names. I have the following problem: i use a dialup-connection at home and want to grant SSH-access to our company server, but (of course) only for my IP. So I registered some dynamic DNS-service and applied the host "xxx.ath.cx". Now i added the neccessary rules to ipchains, using this hostname. It was working fine. But after i reconnected (and got a new IP) it was not working anymore. Strange. Then i re-checked the rules and saw that ipchains obviously resolves the IP of "xxx.ath.cx", reverse lookups it and inserts THIS result (which is now the hostname given by my provider) to the final rules. So the original rule of: ipchains -I input 1 -j ACCEPT -l -p tcp -i eth0 -s xxx.ath.cx -d dst 22 is translated to: (ipchains -L) target prot opt source destination ports ACCEPT tcp ----l- L0099P99.dipool.highway.telekom.at dst any -> ssh which is not really what i want.. :/ Is there any solution? Deleting and re-inserting this rules every minute via crontab is something i would not really like to do.. best regards, E.
Eric, * On Sunday, September 09, 2001 at 13:21, eric.draven@aon.at wrote:
i recognized a strange (?) behavior of IPCHAINS toward dynamic DNS names.
I have the following problem: i use a dialup-connection at home and want to grant SSH-access to our company server, but (of course) only for my IP. So I registered some dynamic DNS-service and applied the host "xxx.ath.cx".
Now i added the neccessary rules to ipchains, using this hostname. It was working fine. But after i reconnected (and got a new IP) it was not working anymore. Strange. Then i re-checked the rules and saw that ipchains obviously resolves the IP of "xxx.ath.cx", reverse lookups it and inserts THIS result (which is now the hostname given by my provider) to the final rules.
When adding your rule with ipchains, the hostname is looked up by ipchains. When checking your rules afterwards with ipchains -L, the address is reverse looked up. The kernel only knows about the IP-addresses - you can verify this with "cat /proc/net/ip_fwchains" (at least with Kernel 2.2.x).
Is there any solution? Deleting and re-inserting this rules every minute via crontab is something i would not really like to do..
I would suggest the following: - Insert the rule in /etc/ppp/ip-up.local - Remove the rule in /etc/ppp/ip-down.local - Update your DynDNS-Hostname when running ip-up.local Adalbert
A lot of ISP's will give you a dns name based on your IP as well. Just
throwing that in to make sure that you had double checked that your name
isn't changing. Like my road runner account will change to something like
gsoxxx-xxx-xxx.triad.rr.com as my host name where the xxx's are the last
three sets of my ip number.
Wade Chandler
Metro IT Solutions
Lead Programmer
http://www.metrotriad.com/wchan
http://www.metrois.com
wade.chandler@metrois.com
336-725-1621 Ext. 1015
----- Original Message -----
From: "Adalbert Michelic"
Eric,
* On Sunday, September 09, 2001 at 13:21, eric.draven@aon.at wrote:
i recognized a strange (?) behavior of IPCHAINS toward dynamic DNS names.
I have the following problem: i use a dialup-connection at home and want to grant SSH-access to our company server, but (of course) only for my IP. So I registered some dynamic DNS-service and applied the host "xxx.ath.cx".
Now i added the neccessary rules to ipchains, using this hostname. It was working fine. But after i reconnected (and got a new IP) it was not working anymore. Strange. Then i re-checked the rules and saw that ipchains obviously resolves the IP of "xxx.ath.cx", reverse lookups it and inserts THIS result (which is now the hostname given by my provider) to the final rules.
When adding your rule with ipchains, the hostname is looked up by ipchains. When checking your rules afterwards with ipchains -L, the address is reverse looked up.
The kernel only knows about the IP-addresses - you can verify this with "cat /proc/net/ip_fwchains" (at least with Kernel 2.2.x).
Is there any solution? Deleting and re-inserting this rules every minute via crontab is something i would not really like to do..
I would suggest the following: - Insert the rule in /etc/ppp/ip-up.local - Remove the rule in /etc/ppp/ip-down.local - Update your DynDNS-Hostname when running ip-up.local
Adalbert
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Sunday 09 September 2001 03:19 am, eric.draven@aon.at wrote:
Hi all,
I have the following problem: i use a dialup-connection at home and want to grant SSH-access to our company server, but (of course) only for my IP. So I registered some dynamic DNS-service and applied the host "xxx.ath.cx".
So the original rule of:
ipchains -I input 1 -j ACCEPT -l -p tcp -i eth0 -s xxx.ath.cx -d dst 22
is translated to: (ipchains -L)
target prot opt source destination ports ACCEPT tcp ----l- L0099P99.dipool.highway.telekom.at dst any -> ssh
which is not really what i want.. :/
Is there any solution? Deleting and re-inserting this rules every minute via crontab is something i would not really like to do..
Your ipchains us using the revers dns, (which is all it can get). SSH is such that it is somewhat overkill to further limit who gets in based on IP. If you need to limit ssh to a specific subset of users why not chang file ssh in /etc/pam.d directory by adding: (it should not be wrapped like it probably appears below) auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/sshusers onerr=succeed I haven't tried this yet, but I will. Theoretically it would limit ssh users to the list of names found in /etc/sshusers __________________________________________ J.Andersen
On Sunday 09 September 2001 11:30 pm, John Andersen wrote:
If you need to limit ssh to a specific subset of users why not chang file ssh in /etc/pam.d directory by adding: (it should not be wrapped like it probably appears below)
auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/sshusers onerr=succeed
Ooops, I think that shoudl read onerr=fail (he says, replying to his own post)
__________________________________________ J.Andersen
-- __________________________________________ J.Andersen
PAM -- Pluggable Authentication Modules http://www.sysadminmag.com/articles/2000/0009/0009a/0009a.htm I covered listfile. Kurt
participants (10)
-
A. Meinerzhagen
-
Adalbert Michelic
-
Andreas Rittershofer
-
eric.draven@aon.at
-
John Andersen
-
Kurt Seifried
-
maf king
-
Robert Szentmihalyi
-
Ruben Konig
-
Wade Chandler