[Dshield] misc. thoughts....

Johannes B. Ullrich jullrich at euclidian.com
Mon Nov 26 16:44:51 GMT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The list got kind of active the last few days... Everybody got over their 
Thanksgiving weekend well I thought. Anyway, just a few comments to 
various things here:

First: DShield.org is one year old! Last year, after eating too much 
turkey, I started writing the initial version of the site... I am still 
trying to find some bugs from back then. Oh well...

Firewalls: Whenever somebody posts a question about how to implement a 
firewall, there are a few standard responses that come up:
- - "Get a Linux/BSD box with two or more ethernet cards"
  That is a great solution. But please remember how much time you spend 
tinkering with such a system (me included). I don't think this is a 
solution for an office with limited IT staff. For them, it is probably 
better to buy a black/blue/red box with big 800 number printed on the 
front for support and web based admin interface...

Rooted boxes: In my opinion, there is only one solution once a box gets 
'rooted' (do they say 'admined' for NT boxes?): Reformat. You may make a 
backup first. However, remember: If you reinstall NT, do not connect the 
box to any network before you install all patches. There have been quite a 
few people that got hit while downloading the patches. You may want to 
burn them to CD.

Netcraft: What netcraft does, is kind of a gray area. The problem is not 
that they determine the web server version. This can be done very easily 
without netcraft and they do not apply any special tricks. However, they 
do allow anonymizing of such requests. My advice: first of all, make sure 
you don't give away too much information. I think it is ok to tell people 
if your are running Apache or IIS. But beyond that, you probably should 
configure your web server to hide the details. Otherwise, just block 
Netcraft on your firewall.



- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8AnGFVOIizK5pIDMRAjAVAKCRylLXO647q3iwXNMDScOwa6ez3wCgnEk3
+nJHPw6SD1vaqTMtT31zPrg=
=UekT
-----END PGP SIGNATURE-----




More information about the list mailing list