link within has now been disabled On Feb 12, 2008, at 8:17 AM, keith@xxxxxxxxxxxxxx wrote:
Hello Tonnerre, "I personally think that Snort is snake oil."It can be a pain to get setup and to actually reduce false positives, been using since begining of project, but requires a lot of learning to setup properly" and as I stated nothing is foolproof or totally secure. Other measures need deployed as well such as an application level firewall. I disagree with the snake oil statement (we'll agree to disagree here) but do agree someone that does not use it on a daily basis it is very hard to work through at first."Apart from the fact that you cannot destroy a hard disk in a way that makes it unrecoverable (with expensive equipment and time), this is pure populism."It takes quite a bit of heat and even then some data can be recovered, from magnetic residue, in labs. Usually cost prohibitive unless someone really wants your data bad and has a big budget.But please state a config that someone with experience can not get into, is more of a point that security is ever evolving."This is security by obscurity. If you just fiddle with the ports which were open for a second, it is pretty easy to determine which service isrunning on it. I see no point at all in all of this port changing."Yup it is security by obscurity and it will help against a script kiddie that won't take the time to scan all ports, thats why I suggested move to a high non-standard port."But I don't agree to ...write. Heck you can even google and download some to get you started....using any script Google finds, some have nasty bugs and blacklistthe wrong hosts (e.g. if you set an user name with spaces). You clearlydon't want your DNS server blacklisted, for example."I'm not talking about downloading blacklists but dynamic firewall rules and scripting to achieve a dynamic list based on ranking of attacks against the box. Google does have a few references and examples that can be modified if necessary. I'm going under the assumption that scripting is not second nature to the tech setting up.Blacklists downloaded, for lack of a better term suck.Tonnerre I appreciate your comments too, debating is a good thing on things like this.Keith<a href="http://www.linkedin.com/in/keithkilroy"; ><img src="http://www.linkedin.com/img/webpromo/btn_viewmy_160x25.gif " width="160" height="25" border="0" alt="View Keith Kilroy's profile on LinkedIn"></a>-----Original Message----- From: Tonnerre Lombard <tonnerre.lombard@xxxxxxxxxx> Sent: Tuesday, February 12, 2008 7:20am To: Keith Kilroy <keith@xxxxxxxxxxxxxx>Cc: Abilash Praveen <contactme@xxxxxxxxxxxxxxxxxx>, full-disclosure <full-disclosure@xxxxxxxxxxxxxxxxx >Subject: Re: [Full-disclosure] Brute force attack - need your advice Salut, Keith, On Tue, 12 Feb 2008 03:21:20 -0500, Keith Kilroy wrote:Lock down your server so only needed ports are open, move ssh above the norm scan range, setup SNORT and learn how to use it, harden and update all progz. Check for web app holes.....buffer overflows etc.While I agree with locking down and checking for vulnerabilities, I personally think that Snort is snake oil. It hardly ever detected attacks for me which could have harmed my systems. (There were quite a bunch of them, but they went mostly unnoticed.) There are behavior based, autolearning IDS modes, but I've had my experiences with jumping in public parking lots (which caused terror alert because the IDS wasn't used to people jumping), so I am quite sceptic of that as well.The only box that is safe is the one unplugged hdd removed and destroyed and rest of system locked in a closet.Apart from the fact that you cannot destroy a hard disk in a way that makes it unrecoverable (with expensive equipment and time), this is pure populism.Just perform your due diligence and watch and archive your logs.I agree here; and don't log to syslog on localhost, have a separate logging host like syslog is intended to be used...are targeted at those guys), ever heard of DDOS and botnets. move all default ports you can and have their services report different than what is really there.This is security by obscurity. If you just fiddle with the ports whichwere open for a second, it is pretty easy to determine which service isrunning on it. I see no point at all in all of this port changing.If you are detecting the brute force attacks then you can stop them.Apart from the bandwidth induced, bruteforce attacks are pretty useless if you have sanely chosen passwords. And in the age of Tengig networks,the bandwidth penalty is minimal.anyway. Just try to stay ahead of the curve. Harden, log, respond. Oh yeah be sure to perform your backups, if someone besides a ScriptI totally agree to backups though, for various reasons[1]. ;-)[Lines of acute paranoia scrapped] securing your stuff and monitoring with dynamic blocking that times out after a period of time. Rank the attacker when it hits a 5 blockem for 30 min then if it reoccurs and they achieve a high scoreThis is pretty useful for various purposes, also for saving bandwidth used by brute force attackers. But I don't agree to ...write. Heck you can even google and download some to get you started....using any script Google finds, some have nasty bugs and blacklistthe wrong hosts (e.g. if you set an user name with spaces). You clearlydon't want your DNS server blacklisted, for example. Tonnerre [1]: No, a RAID1 is not a backup. -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 Güterstrasse 86 Fax:+41 61 383 14 67 4053 Basel Web:www.sygroup.ch tonnerre.lombard@xxxxxxxxxx _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/