General discussion

Locked

exposing ones dns on the internet

By sgt_shultz ·
would anyone possibly enlighten me as it has been too long since i browsed 'hacking revealed'...
would you talk to me about the kinds of things a security auditing tool would look for, if i had one, (hint hint) to probe my public servers. basic kitchen sink stuff most of interest but all ears to everything. i think you don't need to be specific if you just help me get the idea. i would like more of a clue about exposing dns on the internet too if possible. have a great weekend and thanks in advance.

This conversation is currently closed to new comments.

14 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by willcomp In reply to exposing ones dns on the ...

Sarge, you are probably looking for a more sophisticated tool, but Steve Gibson's Shields Up does a pretty good job of exposing individual PC vulnerabilities. www.grc.com, or google shields up.

Happy hacking

Dalton

Collapse -

by willcomp In reply to

Zaf,

Thanks for your very good response. I learned something from it.

Dalton

Collapse -

by sgt_shultz In reply to exposing ones dns on the ...

many thanks. what kinds of things does it look for?

Collapse -

by zaferus In reply to exposing ones dns on the ...

Hey Sgt,

DNS exposure occurs if your DNS server can be contacted from the Internet side. With a proper DMZ zone for public servers this should be avoidable as long as your DMZ servers are not domain controllers.

If they are you can lower the risk by setting your DNS replication to not allow any requests. The first thing a serious hacker wants to do is information gather, and that's your phone book.
But to avoid any successful requests its best to not have any DC's in the DMZ.

Sheilds up is good for a simple port scan, but it doesn't get into port vulnerabilities. I wish it were so simple as running an Internet site test on your network and call it a day.

First of all assess your vulnerabilities by port:
If you run 1-1 NAT where all port requests on to your DMZ get passed through you are going to have a tough time of it. Exception based security is much better (con't next msg)

Collapse -

by zaferus In reply to

With exception based security you only open access to the ports that are used. This is by FAR your best first step to securing a DMZ. If you only are serving port 21, 80 and 443 for instance, only requests on those ports will go through to the set DMZ server. This keeps a hacker from doing a port 389 (LDAP) based attack for instance.

Change your MAC address on your firewall if you can as well. The first part of your default MAC address is the manufacturer of your NIC - which is normally the manufacturer of your firewall. This now tells the hacker what type of protection you are using and makes an attack strategy easier. Set it to something not in use and reveal nothing to the enemy. (con't next msg)

Collapse -

by zaferus In reply to

Now is where I actually answer your question!

With this basic security in place now you are most vulnerable to attacks on the specific ports that are still exposed but are used to serve legitimate public side information.

New vulnerabilities surface all the time, so there is no way to ensure air tight security here - that's just reality.

Keeping your patches up to date on both the server OS and the application serving the data (which is too often overlooked!) is a key first step. Shutting down unused services is also very important and often overlooked. This process is a basic server "hardening". Microsoft has an internal security scanning utility you can use to check your servers for known vulnerabilities.

The best scanning tool suite I've seen is by Eeye digital solutions. They have the entire gambit of products to handle security scans and IDS from all sides. But it is also incredibly expensive.

SonicWALL used to have it if you made an account even without a registered product you got a free scan using their scanning utility. It's pretty good and gives you a very nice report afterwards. Even if you have to pay for it - it's a good tool.

Commercially there is about 1001 companies that are more than happy to run scans on your WAN IP range - but lots of them don't do much for the big bucks they can charge. If you have the time and Linux background Snort is the best scanning and intrusion detection system there is. It's free and has just tons of add ons that other people have developed. Just remember that lots of the add-ons are privately developed and there is always a risk they also have a darker motivation to get you to run them...

Collapse -

by zaferus In reply to

*whew* I could literally talk all day about this, but I am a security specialist! In a way because there is no "silver bullet" is why I am employed in this position. But if you follow the above steps and run an independant scan or two you will be better off than 99% of the public servers out there (trust me on this one!). At least this makes you unattractive to most hackers who are looking for easy prey (the low hanging fruit thing).

Antivirus on your server probably goes without saying...

And of course a good firewall is worth it's weight in gold, especially if it does deep packet inspection - but it should at least do stateful packet inspection.

http://www.microsoft.com/technet/security/tools/default.mspx

Link for Microsoft security tools

Also www.mysonicwall.com will make you an account (not sure if the one scan is still free).

http://www.snort.org/
Snort is the best tool out there that I know of. It's used by both security and hackers ; )

http://www.packetstormsecurity.org/
Packetstorm is a great place where security minds gather. It has good white papers and discussions. Always a good bookmark to have.

Zaf

Collapse -

by zaferus In reply to

Reading this over I see that I say that Snort and Eeye are both the best tools I know of; let me clarify this!

I would recommend Eeye if you can afford it, but Snort is next in line and is certainly affordable as it is free!

Zaf

Collapse -

by zaferus In reply to

Thanks for the positive feedback. If anyone has some questions just post a comment I'll see if I can help.

Zaf

Collapse -

by sgt_shultz In reply to

i was looking for more. see hacking revealed.

Back to Networks Forum
14 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums