Discuss mailing list

[webmaster AT blockaid.me]

There is nothing wrong with what you're doing and I wouldn't class ubuntu as a noob distro. I run a number of large websites and maintain two public dns resolvers, all running on ubuntu.

Personally I am not a fan of bind, but each to their own.

I like the idea of having a secure wiki, and as long as it is community-driven, I don't think there will be any shortage of guides for different distributions. That is at least if this mailing list is anything to go by - that is me paying you guys a compliment by the way.

Sent from my BlackBerry® smartphone on O2

---

From: Dale <dweide9 AT aim.com>

Sender: discuss-request AT lists.opennicproject.org

Date: Thu, 3 May 2012 16:22:51 -0400 (EDT)

To: <discuss AT lists.opennicproject.org>

ReplyTo: discuss AT lists.opennicproject.org

Subject: Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia

I like the idea of a "Secure OpenNIC Configuration" Wiki page. But would it be OS specific? As a newb, tinkering with bind in my spare time, I find that ubuntu server just works. I imagine you guys primarily use BSD, correct? I'm good at following instructions, but FreeBSD doesn't seem to play as nicely (for a PC to Linux guy, with no pure Unix experience). It may be that there are enough engineers out there to satisfy OpenNIC's needs. In which case, it is probably best to avoid using amateurs like me. But if it's "All hands on deck!", then I'll need a "kiddie pool" : )

Dale

-----Original Message-----
From: Falk Husemann <josen AT paketsequenz.de>
To: discuss <discuss AT lists.opennicproject.org>
Sent: Thu, May 3, 2012 12:08 pm
Subject: Re: [opennic-discuss] Attack Countermeasures: An Exercise of Paranoia

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I've thought about some of the possible problems the whole day and asked
myself: What could be of use, just in case?

As a first starting point for security interested T1/T2 owners, we could
really try to have a "Secure OpenNIC Configuration" Wiki page where
detailed step-by-step instructions are given to secure your BIND
nameserver. What do you think?

Alex #1 really has good points on what might happen. We could try to
work out a Emergency/Desaster Plan for server owners that they can read
through, if someone really does bad.

This doesn't have to be rocket science, just basic guidelines to point
people at. No "total fort knox we'll shoot you if you blink" things like
"get bgp and nullroute the attackers", but baseline security advice for
intermediate server owners (most of us are, I guess, it's still just a
hobby).

I've worked with and without such things and its a better experience,
when you have a _useful_ Emergency plan, but even a bad one is better
than first having to think about what your options are. Think about
secure configuration like cancer prevention :)

Greets,
Falk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPotd+AAoJEPPG1NATKThtoTIH/0YaRXQEaNUCo1OCHcfU9lWK
7wh3jTJszo0unUh8+KMX4+KuXniaj87xtWtji0f7mNPRHdD6Na+8MIZJXWV4+Buv
XEbTv/fWO94o4DNhgBzH3H9CxrIB/W9kgofYOWVtYCJfXHSgyooNh/Pj2yZ3FfvU
RfyM6XyETTHHs2Ux/2UWUTIl41XtvV12yv7c/oETLG8BZO5x+eYCqEDUARDIqImq
nUI6tM5eKvZwOxUSXM1bDyLDrwKHYmX+ohnPz9DZ9zJ6c8Nispm0crmbMxP7p4VK
VU5tLPdAdG4KxLPo8IWBWL1sw+vbdubFuuBPm2qUoDHlO45jnXRZo03cfPqNpyo=
=tyx8
-----END PGP SIGNATURE-----


--------
You are a member of the OpenNIC Discuss list. 
You may unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org