[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Help



Tell him he you could easily setup iptables to restrict outgoing connection ie: you can telnet it but not telnet out, or send packets in but not out. I have worked on many servers that have this feature used ie: compaqs testdrive program. I also use this feature in one of my free shell servers.


From: Brian Furry <brian@euler.nac.net>
Reply-To: fbrian@nac.net
To: debian-security@lists.debian.org
Subject: Help
Date: Fri, 3 May 2002 18:14:15 -0400 (EDT)
MIME-Version: 1.0
Received: from [65.125.64.134] by hotmail.com (3.2) with ESMTP id MHotMailBE9C5876007E4004325E417D408606C30; Fri, 03 May 2002 15:21:42 -0700
Received: (qmail 3047 invoked by uid 38); 3 May 2002 22:14:31 -0000
Received: (qmail 2733 invoked from network); 3 May 2002 22:14:21 -0000
Received: from lithium.nac.net (64.21.52.68) by murphy.debian.org with SMTP; 3 May 2002 22:14:21 -0000
Received: (qmail 99879 invoked from network); 3 May 2002 22:14:19 -0000
Received: from unknown (HELO euler.nac.net) (207.99.6.85) by mail.nac.net with SMTP; 3 May 2002 22:14:19 -0000 Received: from brian (helo=localhost)by euler.nac.net with local-esmtp (Exim 3.12 #1 (Debian))id 173lJh-00007l-00for <debian-security@lists.debian.org>; Fri, 03 May 2002 18:14:17 -0400
From bounce-debian-security Fri, 03 May 2002 15:23:19 -0700
X-Envelope-Sender: brian@nac.net
Message-ID: <Pine.LNX.4.21.0205031803140.339-100000@euler.nac.net>
Sender: Brian Furry <brian@nac.net>
X-Spam-Status: No, hits=0.0 required=4.7 tests= version=2.01
Resent-Message-ID: <uMdIKB.A.Yv.Gvw08@murphy>
Resent-From: debian-security@lists.debian.org
X-Mailing-List: <debian-security@lists.debian.org> archive/latest/7106
X-Loop: debian-security@lists.debian.org
List-Post: <mailto:debian-security@lists.debian.org>
List-Help: <mailto:debian-security-request@lists.debian.org?subject=help>
List-Subscribe: <mailto:debian-security-request@lists.debian.org?subject=subscribe> List-Unsubscribe: <mailto:debian-security-request@lists.debian.org?subject=unsubscribe>
Precedence: list
Resent-Sender: debian-security-request@lists.debian.org


Hello:

I am in the process of getting a debian server in the high school that I
teach in.  The network admin is concerned about the security of the
exsisting Novell Server, border manager, etc.  Our ISP is very picky
about not hogging more bandwidth than we are suppossed to use.

I have been carefully pushing for a debian linux server for about 3 years
and now I am very close to getting one for my students to program on. The
network admin is the last person I need to sign off on....


Below is a message from him, that I need to reply to in order for him
to sanction the machine.  I would like some help in creating a reponse
to sooth his anxiety and fears.


**********************************************

I have described the Linux project, its uses, and its physical placement
within our network, to four knowledgeable people, and asked for their
thoughts and recommendations.

A. Partner in a consulting company based in Hunterdon County.  Their
mission is to encourage Linux use in small/medium companies.

B. Lt. Col. (ret.) USAF,  now a contractor for the Air Force (process
compliance and Unix network administrator)

C. Network technician.  This person builds wide-area networks for
corporations and financial institutions

D. Computer consultant.  This person has extensive employment experience
(programming, documentation, database, networking) with HP, Agilent, and
others.  Husband and brother also do design work for top computer firms.


They all insisted that a dedicated firewall is a requirement.  They are
unanimous in their exhortation that the server be properly secured.  "B"
gave specific items to examine in this regard,  and "A" offered to scan it
from inside and outside our building.

"A,"  "B,"  and "C" state that, even if it IS properly secured, this does
not prevent some types of malicious behavior.  "A" and "B" think that the
risk is no greater than our current setup, while "C" has reservations that
we should not increase our susceptibility, and that the 24-hour
availability of this server leaves us open to mischief.

I share "C"'s concern.  In-school computer use is subject to various
controls, not the least of which is teacher oversight.  By design, a
publicly accessible server on which students can run their own programs at
3 a.m. lacks this important security.

In light of this last point, let me pose a situation:  A student loads and
runs a program onto this Linux server which then launches attacks on other
computers or routers on the Internet.  Such attacks could be as simple as
participating in a Denial-of-Service attack.  In our earlier meeting, you
said that proper settings, permissions, and restrictions could prevent that.

Since this is one of the situations for which I am most concerned, can you
give me (in excruciating detail) the steps which would prevent this?









======================================================================
Brian R. Furry      fbrian@nac.net
==============      ===============

  The Power of Open Source can only give the people what
  they so richly deserve ...

  stable and flexible computing


================     ===============
Debian/GNU Linux                          www.debian.org
=======================================================================


--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org






_________________________________________________________________
Join the world?s largest e-mail service with MSN Hotmail. http://www.hotmail.com


--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org



Reply to: