Re: [SLUG] System security

From: bill (billt@ifelse.org)
Date: Tue May 15 2001 - 23:52:12 EDT


On Tue, 15 May 2001, Paul M Foster wrote:

> On Tue, May 15, 2001 at 06:02:10PM -0400, Derek Glidden wrote:
>
> <snip>
>
> > Of course, to effectively use nmap or
> > nessus, you need an offsite system from which to run the scans, which
> > makes it a little less convenient for people with home DSL connections
> > just trying to check their security.
>
> Aside from ipchains/firewall rules, it appears to me that servers don't
> really make a distinction between LAN and internet when it comes to
> ports and services. For example, if you run sendmail on your firewall
> (ignoring firewall rules again), your firewall server doesn't really
> know/care whether port 25 packets come from the LAN or the internet.
> Correct me if I'm wrong here.

it is possible to configure most if not all daemons to listen only on
specific interfaces / addresses / ports. if it is set to listen only on
the lan interface or address, it will ignore packets arriving on other
interfaces or addresses.

after turning off completely the daemons that aren't needed, deciding
which ones need to listen where is a great next step.

> But if that's the case, would it be worthwhile to run nmap and the
> others from inside your LAN, pointed at your firewall?

yep.. if you do it from both ends, you can see the difference. it will
show you what the internet sees as opposed to what your lan sees. it is
good for getting the loose ends or picking up on unusual changes.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:06:47 EDT