Mitigating Risks Before Going Public


There are a couple of things you can do to mitigate risks before opening a network service to the Internet.

  • Remove defaults-Any sample scripts and default documentation should be removed. In many cases, sample code can be used to exploit a system, and documentation usually tells an attacker what they are up against. If there is a default login or account name, then change it.

  • Limit service access-Restrict Internet access to only the necessary services. For example, if you only want to give access to your SSH server, then you don't need to offer your HTTP server to the world. You can restrict access with Tcpwrappers or IP Tables (see Chapter 11). Some services can be bound to the loopback interface rather than the network card. A better alternative to local access restrictions is to use a stand-alone firewall. This way, hostile network traffic never reaches your computer in the first place.

  • Limit services per system-Ideally, each open network service should be on a different computer system. This way, an attacker who compromises your web server won't also have access to your e-mail, SSH, and other services. In reality, you may not have many computers sitting around, acting as dedicated service providers. Maintenance may also be a hassle. However, if you have a particularly critical service, definitely consider placing it on a standalone system.

  • Limit host access-If only a few hosts will be accessing the service, consider restricting connections to just those hosts. The restrictions may be based on IP addresses (if they are static), or on VPN technology such as IPsec (see Chapter 11) or SSH (see Chapter 5).

  • Use a firewall-Anyone using a computer connected to the Internet (or an ISP) without a firewall is just asking for trouble. A simple NAT-based home firewall usually costs under $50 and is well worth the investment.

  • Use a DMZ-A DMZ (de-militarized zone) is a network buffer region that is surrounded by firewalls. The concept is pretty simple: all inbound traffic must stop at the computer in the DMZ before continuing into the internal network. The DMZ provides a choke point for monitoring suspicious network traffic and authenticating desirable traffic. Configuring a DMZ requires two firewalls and one computer (the computer can even be that old 75 MHz Pentium that you have collecting dust in your closet).

  • Configure an IDS-An IDS (Intrusion Detection System) watches network traffic for potential threats and alerts you when something questionable is identified.

  • Monitor logs-Local network services usually generate log files. So do firewalls and IDSs. If you don't periodically look at the logs, then you will never see attacks when they happen.

  • Keep backups-Being able to recover from a compromise is just as important as knowing how and when the compromise happens. Chapter 3 offers a very simple backup system, but your backups should really match your needs.

  • Patch! Patch! Patch!-While a home computer with no services may only need to be updated monthly, systems with Internet-accessible services should be patched much more often. Attackers won't wait for you to catch up with the latest exploit.



Hacking Ubuntu
Hacking Ubuntu: Serious Hacks Mods and Customizations (ExtremeTech)
ISBN: 047010872X
EAN: 2147483647
Year: 2004
Pages: 124
Authors: Neal Krawetz

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net