Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] PHP-Majordomo to execute commands on demand?
  • From: Leonel Rivas <leorivas@xxxxxxxxx>
  • Date: Sat, 26 Jan 2002 16:23:31 -0800 (PST)
  • Message-id: <20020127002331.93247.qmail@xxxxxxxxxxxxxxxxxxxxxxx>
Whoa Greg, that sounds very interesting, can you give
,me some more details?

Thanks
Leo

--- Gregor Bruhin <gregor.bruhin@xxxxxxxxxx> wrote:
> Hi,
>
> Know I know a bit more, I can give you other ideas
> perhaps :-)
>
> 1)
>
> I did the following thing @home for my "intranet" &
> linux-internet-gateway
>
> I setup a tiny webserver which runs as root :-( ( I
> know very bad idea but
> there is no other solution i think ! )
> With a few scripts it will do all I want (lanch
> internet connection, map
> drives, launch services, etc.)
>
> -> know you can secure this
> add a script to you main server which will put
a
> "1" in a file somewhere
> when it is launched and replace the 1 with a 0
after
> 5 sec
> in the tiny webserver you just add acheck,
check
> if the 1 is present in
> the file otherwise you don't reply
> the tiny server must be run on a strange port
> and REALY do nothing if
> there is not a 1 in the file
> (result, many conditions must be met, difficult
> for a hacker, but also
> for you because you have many chances to make
> mistakes. Summary: you have to
> access first you normal webserver and execute your
> special script, then you
> have 5 secs to connect to your tiny root webserver
> and autentificate)
>
>
>
> 2)
>
> - setup a new special user with complicated name &
> password
> - setup a chrooted env. for this user
> - setup ssh access on a very special port (high
> port, unused by trojans, and
> not scanned by default by nmap etc.) limit login to
> the created user (be
> sure to check all sshd security options)
> - do not use a normal shell for this user but
rather
> a home-made interpreter
> which will only write a few things in a text file
in
> a chrooted jail
> - write a script which will get data from this text
> file and do some actions
> (this script will be executed every 5 min. by cron
> for ex.)
>
> it's just an idea like an other ...
>
>
> OTHERS)
>
> This won't sove all your problems but can help.
>
> I don'tknow which services you plan to use but try
> to limit allowed IP's,
> limit allowed users, use unusual ports.
> Disable icmp replys, configure a local firewall to
> slow down scanners.
> Hide or fake the banners of the daemons if
possible.
> Update your system as often as possible.
> Install tripwire, scanlogd, chkrootkit etc.
> Make Ba ba backups :-) ...
>
> have fun :-)
>
> Greg
>
>
> ----- Original Message -----
> From: "Leonel Rivas" <leorivas@xxxxxxxxx>
> To: <suse-security@xxxxxxxx>
> Sent: Saturday, January 26, 2002 7:24 PM
> Subject: Re: [suse-security] PHP-Majordomo to
> execute commands on demand?
>
>
> > I've done so: leave ssh running , and after
> logging,
> > run the inetd to have other services, then, i
stop
> it
> > before leaving. BUT, checking the messages file,
a
> > have already found some ssh scans (it tells DONT
> > PANIC, and dunno what it means), so i decided to
> close
> > the most srevices and run them as needed... is
ssh
> (on
> > suse 7.2) safe enough?
> > Thanks for the help, im not so new on linux, but
> new
> > on security issues.
> > Leo
> >
> >
> > --- Andrea Naggi <mailing-lists@xxxxxxxx> wrote:
> > > You could actually leave SSH running all the
> > time
> > > and from there you can
> > > start or stop services as needed... SSH should
> > be
> > > safe enough...
> > > Anyway the idea is good and should be possible
> > to
> > > realize it with ssl and an
> > > apposite php/perl page on your webserver.
> > ENGARDE
> > > linux uses a page like
> > > that written in perl and running under ssl
> > > encryption to control all the
> > > system services and even the shutdown or rebbot
> > of
> > > the server.
> > > Regards
> > > Andrea Naggi
> > >
> > > ----- Original Message -----
> > > From: "Leonel Rivas" <leorivas@xxxxxxxxx>
> > > To: <suse-security@xxxxxxxx>
> > > Sent: Saturday, January 26, 2002 4:19 PM
> > > Subject: [suse-security] PHP-Majordomo to
> > execute
> > > commands on demand?
> > >
> > >
> > > > Hi everybody
> > > >
> > > > Im trying to improve security by making the
> > > minimal
> > > > services to run on a 7.2 server, now, my
> > question
> > > is
> > > > how to make services run and stop on demand,
> > like
> > > ssh
> > > > or inetd. Is possible to make.. say a web
page
> > > under
> > > > ssl to launch and stop such services? or
maybe
> > a
> > > > majordomo mail with the apropriate password?
> > the
> > > idea
> > > > is to have ONLY apache and sendmail running
> > all
> > > the
> > > > time, nothing more, then, run ftpd or ssh as
> > > needed,
> > > > then stop it.
> > > > Thanks
> > > >
> > > >
> >
__________________________________________________
> > > > Do You Yahoo!?
> > > > Great stuff seeking new owners in Yahoo!
> > Auctions!
> > > > http://auctions.yahoo.com
> > > >
> > > > --
> > > > To unsubscribe, e-mail:
> > > suse-security-unsubscribe@xxxxxxxx
> > > > For additional commands, e-mail:
> > > suse-security-help@xxxxxxxx
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
> >
__________________________________________________
> > Do You Yahoo!?
> > Great stuff seeking new owners in Yahoo!
Auctions!
> > http://auctions.yahoo.com
> >
> > --
> > To unsubscribe, e-mail:
> suse-security-unsubscribe@xxxxxxxx
> > For additional commands, e-mail:
> suse-security-help@xxxxxxxx
> >
> >
>


__________________________________________________
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions!
http://auctions.yahoo.com

< Previous Next >