Here are my settings. How secure am I?
Hello. I am a new member in this group, so forgive any faux-pas for now, please..
Although I am not new in Linux, I would say I am new in this system administration thing. What I want with this letter is to verify that I have taken all security steps that I could and to get any response on something that I have missed (or misunderstood). This message may end up being long, sorry about that, but I have seen really long messages posted here, so I think this will pass. I have a home network of a few computers running WIndows (XP or 2000) and one running linux for which I allow access from the outside world. The way I did so was to set my router NAT to forward traffic to ports 22 (SSH V3.5p1) and 80 (HTTP) to that linux computer. A test I did through 'Shield UP' confirmed that only those ports were open. Initially, I had the SSH pretty open. However, after noticing in my log files a number attempts using various usernames, I modified my /etc/hosts.allow and /etc/hosts.deny file to narrow down permitted sites; this way I eliminated the most attacking sites. I went one step further to modify my sshd_config file to allow specific users only. I use non standard names and of course no root, guest, and the like. For the http service, I managed to create some subdirectories for which a specific userid/passwd and/or specific ip is required, and I think it works pretty well; not highly sensitive material, mind you. Similarly successful I was with creating a couple of virtual web sites. Now, for security: I get one or two ssh attempts per day, but the connection is dropped, as it should. However, for the http I get a lot of the following messages in my log file: These look like whoever sends these commands tries to get something from a Windows computer (apparently I am safe from them {?)) xxx.xxx.xxx.xxx- - [23/Jan/2005:04:37:26 -0500] "GET scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1018 "-" "-" xxx.xxx.xxx.xxx- - [23/Jan/2005:04:37:29 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1018 "-" "-" xxx.xxx.xxx.xxx- - [23/Jan/2005:04:37:32 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1018 "-" "-" xxx.xxx.xxx.xxx- - [23/Jan/2005:04:37:35 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1018 "-" "-" xxx.xxx.xxx.xxx- - [23/Jan/2005:04:37:38 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 951 "-" "-" xxx.xxx.xxx.xxx- - [23/Jan/2005:04:37:42 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 951 "-" "-" The ones I do not know what happens and I worry a bit are commands like the following: xxx.xxx.xxx.xxx - - [05/Feb/2005:04:20:37 -0500] "GET /default.ida?XXXXXXXXXXXXXXXX……XXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd 3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a and watch this: xxx.xxx.xxx.xxx - - [04/Feb/2005:13:21:25 -0500] "CONNECT smtp.xxx.xx:25 HTTP/1.0" 302 272 -" "-" with this one someone from one point of the world tried to enter a mail service in another. A regular connection to my site looks like this in my log file xxx.xxx.xxx.xxx - - [05/Feb/2005:19:15:04 -0500] "GET / HTTP/1.1" 304 0 Both of the above have one entry only in my access_log file and nothing in the error_log. I do not know whether they were successful on what they tried to do. How could I know? Is there something I could try (a script, or a service like the Shields-Up) that I could try myself on my site? (by the way, on my http config file, I have the ProxyRequests On line commented out (it should be off by default. If I understand correctly, this should have rejected the CONNECT command above.) I think that’s all for now. Thanks in advance for your responses. Nicos PS. My Sygate firewall (on the XP) does not allow me to post this message to this site. It says "Code Red" attack detected. ????????? |
Quote:
Quote:
Quote:
|
Thank you very much for your comments. They are really very informative.
I hope someone will comment on this CONNECT directive. thanks |
Quote:
|
Re: Here are my settings. How secure am I?
Quote:
|
All times are GMT -5. The time now is 12:58 PM. |