l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 7: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2006 Sep 21 09:52

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox] security dilemma
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox] security dilemma



Hey all,

I have a security-related question and would like to
solicit your advice on the best way to lock down my
system, given the situation.

My Redhat system is on a network, has a public static
IP, and is exposed to the full traffic of the Internet
- no DMZ or router/firewall protection. (I've
considered adding a small router in front of it, but
that is a separate issue.)

I'm using an iptables firewall along with TCP
wrappers. These two measures bolster system security
by only allowing connections from a limited set of IP
addresses where I and/or authorized users should be
coming from while accessing the system remotely via
SSH2. (All other connections are automatically denied
by the firewall). I've also implemented some secondary
security measures, but TCP wrappers and the firewall
stop over 99% of break-in attempts.

Here's the issue. As with many broadband customers, my
IP changes occasionally, and every so often, my
assigned client IP address falls outside of the range
defined by the firewall and/or TCP wrappers on the
remote Red Hat server. However, expanding the range of
IP's it allows to try logging in is a problem for two
reasons:

1. I don't know the full range of IP's offered by my
ISP. The pool of possible IP's I've so far been
assigned from is HUGE - ranging at least 4 Class A
address groups, based on the ones my ISP has pushed at
 me so far. Meaning the IP assigned varies anywhere
between 70-73.XXX.XXX.XXX. 

That is a huge amount of addresses to leave open,
since potentially many thousands of attackers would be
able to bypass both of my primary security measures
and have a shot at guessing a user/pass combination
that would let them onto the system.

2. My logs have recorded numerous break-in attempts on
the server, by individuals originating from the range
listed above. So again, I'd prefer not to just open
the entire range, since that lets attackers past my 2
best security layers. Even if I wanted to open the
whole range, how would I find out what the range was?
The tech support people aren't going to know the
answer to a question like that.

Any advice would be much appreciated. On the one hand,
I'm sick of getting either locked out of my own system
when my IP changes. On the other, I'm sick of people
who have the same ISP as I do, trying to crack into my
server.

Thanks, 
Matt

--- vox-request@lists.lugod.org wrote:

> Send vox mailing list submissions to
> 	vox@lists.lugod.org
> 
> To subscribe or unsubscribe via the World Wide Web,
> visit
> 	http://lists.lugod.org/mailman/listinfo/vox
> or, via email, send a message with subject or body
> 'help' to
> 	vox-request@lists.lugod.org
> 
> You can reach the person managing the list at
> 	vox-owner@lists.lugod.org
> 
> When replying, please edit your Subject line so it
> is more specific
> than "Re: Contents of vox digest..."
> 
> 
> Today's Topics:
> 
>    1. Who owns the "I heart Tux" Lexus? (Scott
> Ritchie)
> 
> 
>
----------------------------------------------------------------------
> 
> Message: 1
> Date: Tue, 19 Sep 2006 17:54:45 -0700
> From: Scott Ritchie <scott@open-vote.org>
> Subject: [vox] Who owns the "I heart Tux" Lexus?
> To: vox@lists.lugod.org
> Message-ID: <1158713685.9602.1.camel@localhost>
> Content-Type: text/plain
> 
> Off the Covell 113 exit today I saw a black Lexus
> with the license plate
> "I(heart)TUX", alongside a little picture of the
> guy.
> 
> Cool plate :)
> 
> Thanks,
> Scott Ritchie
> 
> 
> 
> ------------------------------
> 
> _______________________________________________
> vox mailing list
> vox@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox
> 
> 
> End of vox Digest, Vol 28, Issue 15
> ***********************************
> 


If you're going to appoint yourself judge, jury, and executioner, at least make sure you're handing down the correct judgements.
_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.