[clug] Secure your Internet facing stuff (was Re: googlebot doing funny things in logs)

[Alex Satrapa]

On 16/06/2011, at 13:08 , Hal Ashburner wrote:

> Tee hee! There's even more to securing a machine than that! :P
> You've actually got to unplug it completely from the network "as Pwn2own has shown", just because you're running no services doesn't mean you can't be cracked. 

> Or option B is to trade off a reasonable assessment of the risk and the cost with the value of the service while trying to minimise the first two to some reasonable degree then make your trade off.

What happens when, as a result of the lulzsec DDoS cannon being sprayed about with gay abandon, countries like the USA start passing laws along the lines of, "if you are notified that your system is pwnd and being used in a DDoS and you fail to take action to secure it, you are considered to be aiding hostile action against this nation"?

Would the risk of being sent to Guantanamo Bay or any of the dozens of secret torture prisons that don't exist be enough to convince you that you either (a) ensure that your system is secure or (b) don't connect it to the Internet?

> So are you recommending nobody run services visible to the web unless they treat they are experts who are willing to spend more than N hours a week securing it?

Absolutely. If you are connected to the Internet and you don't know how to secure your system, you are fodder for lulzsec's DDoS weapon or a USA secret service intrusion proxy probing the Chinese Government. The "bad guys" may do nothing more than install an IRC relay or DDoS slave on your system. You might not detect it for months, and it may have very little impact on your personal IP traffic, but the outcome for the rest of the Internet is quite severe.

> Mythweb == evil ? ssh tunnel and use a curses interface (write it if it doesn't exist) : ssh tunnel and use mythweb invisible to the web as htdigest isn't remotely good enough;

Why do you have mythweb exposed to the Internet in the first place? Here's the list of software you have to be sure is secure in that situation:
 - Mythweb
 - PHP
 - Apache
 - Linux

VPN to your home network, access mythweb over the VPN. Your "must trust it to be secure" software is now:
 - VPN
 - Linux

Which software is more likely to be programmed with security in mind? Mythweb or that VPN package?

> trade off a reasonable assessment of the risk and the cost with the value of the service

The "risk" is 100%. If you have a vulnerability on your system, expect it to get exploited. There are folks out there such as lulzsec/governments who are looking for more zombies to add to their arsenal.

You can reduce the intrusion vectors by reducing the amount of software on the system. Don't run CUPS or Samba on your Internet router. Don't forward ports from the router to your gaming computer except when you're playing the game that needs that port forwarded.

Don't walk in the middle of the highway. Don't point guns at people, it's always the unloaded gun that accidentally kills your friend. Don't use an electric toaster while in the bath.

Simple safety precautions, which some people continue to ignore because, "it'll never happen to me!"
Alex