Posts

Showing posts from 2000

A secure NFS environment?

A lot of organizations do not realise the danger of NFS untill they have been intruded by hostile crackers. This article would give a short description of most NFS realted problems and means to avoid it. Since I mostly use solaris, I'll try to stick to Solaris examples in this paper. Problems: Un-authenticated NFS mounts. Many sys-admins including me, have setup uncontrolled NFS shares on solaris boxes. There might be many excuses for this. My popular excuse is that I was just testing it, or that I was asked to do that by someone else. No matter what the excuse is, its tough to recover from a hostile attack morally if its ever misused. As a matter of policy shares should have restricted hosts, especially if it has read-write enabled. No NFS mounts should be allowed from hosts which are accessable from the Internet, and one should avoid critical write enabled NFS mounts in a non-secure zone. Problems: home directories Its is a popular to use NFS for home directories, especially for

Problems in Loadblancing

With the expansion of internet, the userbase of most sites are growing exponentially. However the speed of the servers themselves are not growing fast enough. It is hence logical to conclude that these services have to be setup on multiple servers. Depending on what kind of service you are providing this could be a trivial task. Problem 1 However, some applications are very touchy about which server the client connects to after the first hit. It is possible that the service itself is not scalable enough to allow user to switch between the two servers without interrupting the service. This requires some sort of session management to allow users to stick to one server after they log in. Solution 1 There are three primary ways of getting this done. The first and foremost way is to resolve this issue is to setup loadbalancer to loadbalance using the Source-IP of the client. This will make sure that the client browser always goes to the same server for that particular session. This solution

Feb Attack 2000: DDOS Attack - analysis

BOOKMARK: http://staff.washington.edu/dittrich/misc/ddos/ BOOKMARK: Max Vision Network Security & Penetration Testing website BOOKMARK: MIXTER Security June 9, 2000 NEWS:CNN FBI probing potentially 'massive' new hacker attack to disable Web sites FBI will meet with experts from a security company Friday to discuss the firm's discovery that hackers have embedded a malicious program Also Checkout Slashdot Discussion and www.netsec.net for more information. May 15, 2000 FAQ DOS FAQ This FAQ covers denial of service attacks (DoS) in great depth, and has links to software that can be used to execute DoS attacks. Also DDos Research May 15, 2000 PAPER On Magic, IRC wars, and DDoS The recent attacks against major Internet sites are "magical" in the same fashion. The public doesn't know how the hacks are done, and imagines all sorts of things. It is much simpler than that. May 15, 2000 DISCUSSI

DNS Information hiding

One of the funniest ways of using DNS is by hiding information in it. DNS, as the name goes, is more about distributing Domain information. However, some people, who think differently had other ideas about it. I used the idea to hide one of my perl programs in a dns server I have access to. Execute the following line as a single command and wait for the outcome. dig @beta.royans.net beta.royans.net axfr | grep '^host' | sort | cut -b8-39 | perl -e 'while( ){print pack("H32",$_)}' | gzip -qd How does the real DNS look line ? Its pretty dirty :) But have a look anyway. dig @ns1.granitecanyon.com royans.dhs.org axfr ; < > DiG 8.2 < > @ns1.granitecanyon.com royans.dhs.org axfr ; (1 server found) $ORIGIN royans.dhs.org. @ 12H IN SOA ns1.granitecanyon.com. rkt.pobox.com. ( 153313462 ; serial 6H ; refresh 3H ; retry 1W ; expiry 12H ) ; minimum 12H IN NS ns1.granitecany

Linux in 2000

The other day, someone asked me what my worst nightmare was. I told him, "Linux world domination." Surprising as it may seem coming from a Linux advocate, the fact is that this issue is being debated in Linux circles the world over. With the absence of competition linux may not have much to look forward to. However since that will take a long time to happen, we look at the past how linux succeeded as it is today and where its headed towards in the near future. Battling Since Birth Linux was born in the midst of the Minix generation of Intel 286s. Minix, which did not allow free distribution of code, was the de facto OS for university curricula back then (1991). After winning over Minix, Linux fought the software crunch of the early 90s and integrated many common Unix tools ported over in the first quarter of this decade. And just before it stood against Microsoft in the late 90s to fight for a pie in the desktop segment, Linux fought hard to get X-Windows applications ported