[Dshield] misc. thoughts....
Johannes B. Ullrich
jullrich at euclidian.com
Mon Nov 26 16:44:51 GMT 2001
-----BEGIN PGP SIGNED MESSAGE-----
The list got kind of active the last few days... Everybody got over their
Thanksgiving weekend well I thought. Anyway, just a few comments to
various things here:
First: DShield.org is one year old! Last year, after eating too much
turkey, I started writing the initial version of the site... I am still
trying to find some bugs from back then. Oh well...
Firewalls: Whenever somebody posts a question about how to implement a
firewall, there are a few standard responses that come up:
- - "Get a Linux/BSD box with two or more ethernet cards"
That is a great solution. But please remember how much time you spend
tinkering with such a system (me included). I don't think this is a
solution for an office with limited IT staff. For them, it is probably
better to buy a black/blue/red box with big 800 number printed on the
front for support and web based admin interface...
Rooted boxes: In my opinion, there is only one solution once a box gets
'rooted' (do they say 'admined' for NT boxes?): Reformat. You may make a
backup first. However, remember: If you reinstall NT, do not connect the
box to any network before you install all patches. There have been quite a
few people that got hit while downloading the patches. You may want to
burn them to CD.
Netcraft: What netcraft does, is kind of a gray area. The problem is not
that they determine the web server version. This can be done very easily
without netcraft and they do not apply any special tricks. However, they
do allow anonymizing of such requests. My advice: first of all, make sure
you don't give away too much information. I think it is ok to tell people
if your are running Apache or IIS. But beyond that, you probably should
configure your web server to hide the details. Otherwise, just block
Netcraft on your firewall.
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the list