[Nottingham] Exposing our internal network

Johannes Kling jok at printk.net
Thu Dec 1 20:20:30 GMT 2005


> I should be grateful for your comments on how risky it is to open ports 22 
> and 80, and whether Firestarter provides adequate defence against script 
> kiddies. (I take it for granted that the gurus on this list would be able 
> to break in without working up a sweat.  ;-)

If you have apache running behind that port 80 you'll be as secure as
your weakest script, be it PHP, Perl or something else. If you trust
all of them or if all you do is serve static pages, though, there'll
be no problems provided your upstream bandwidth can handle it.

I'd recommend changing the SSH port to something other than 22, though
(look for the "Port" line in your sshd_config). It doesn't offer any
protection against human intruders, but there is a significant volume
of automated break-in attempts around that make this simple change
worthwhile. Otherwise, there's no real problem with doing this, unless
of course...

> If we have accounts on the server with simple user names and passwords, 
> are we running the risk of people being able to guess these 
> names/passwords and then log on as that user through ssh?

...ah, yes, that. Simple username/password combinations /will/ get
cracked, and probably sooner rather than later. If you cannot trust
all users with a valid shell on your system to have sensible
passwords, you'll have to find a way to restrict access to those that
can be trusted sufficently.

  Jo Kling

"I shall press on valiantly in the face of apathy!" -- cmg

More information about the Nottingham mailing list