Re: Cracking attempt

To: Tim Spriggs <tims@fugazi.engr.arizona.edu>
Cc: debian-isp@lists.debian.org
Subject: Re: Cracking attempt
From: Craig Sanders <cas@taz.net.au>
Date: Tue, 25 Feb 2003 11:38:05 +1100
Message-id: <20030225003805.GE1671@taz.net.au>
In-reply-to: <Pine.GSO.4.44.0302240554300.16669-100000@fugazi.engr.arizona.edu>
References: <200302241139.24439.russell@coker.com.au> <Pine.GSO.4.44.0302240554300.16669-100000@fugazi.engr.arizona.edu>

On Mon, Feb 24, 2003 at 06:08:43AM -0700, Tim Spriggs wrote:
> > What OS are you using?  Presumably if it was Linux you would have
> > solved the problem with iptables or ipchains long ago...
> 
> Solaris 9 :( It does have some firewalling software but caused some
> major conflicts at one point with no config and honestly, I and one
> other person are pushing to get a firewall and seperation of tasks on
> different machines. The way this thing sits right now I'd be
> un-surprised if someone with an hour of spare time and a little talent
> could get in and fuck a _LOT_ up.

here's a quick-and-dirty (and cheap!) temporary solution:

get an old 386/486/pentium box - there should be several gathering dust
at any university.  put two ethernet cards in it, and install linux (any
debian with kernel 2.4.x) on the machine and configure it as a NAT
firewall.  plug one NIC into your network, and use a crossover cable to
connect the other NIC to your solaris box.

in short, what this will do is take the solaris box off the external
network and put it on a second (private) network.  DNAT on the linux box
will allow authorised machines to connect to it and SNAT allows the
solaris box to get out.

if you configure the NAT stuff right, the change will be completely
transparent to all users.

it's pretty ugly, but it will work...and it's something you can do
without spending any money or asking permission (remember it's always
easier to get forgiveness than permission :).

if anyone ever notices and complains, you can justify it by saying you
had no choice.  you had to protect the server and the backups it
contained but had no budget to do it with.

alternatively, build the linux box but put it between your external
router and your main network.  there's no need for NAT in this setup,
just plain routing and iptables firewalling rules.

a third alternative, (which may or may not be viable, depending on what
kind of border router you have and how your network is set up) is to
replace the router with the linux box.

craig

-- 
craig sanders <cas@taz.net.au>

Fabricati Diem, PVNC.
 -- motto of the Ankh-Morpork City Watch

Reply to:

References:
- Re: Cracking attempt
  - From: Russell Coker <russell@coker.com.au>
- Re: Cracking attempt
  - From: Tim Spriggs <tims@fugazi.engr.arizona.edu>

Prev by Date: ntop strange message
Next by Date: Re: Mail server
Previous by thread: Re: Cracking attempt
Next by thread: Re: Cracking attempt
Index(es):
- Date
- Thread