Discuss mailing list

[Tully Gray <tullygray AT arc.net.au>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeff Taylor wrote:
> On 05/05/2012 08:01 AM, Falk Husemann wrote:
>> There is also this page with our T2 test script-cgi:
>> http://wiki.opennicproject.org/AutomatedDnsServerTesting
>
> I just updated that page with more recent information and corrected
> links. The code can be made available, but the code that performs
> individual server testing may be more legible.
>
>> Is that scripts source available? I'd like to add some secure
>> configuration checks and maybe tinker around with a weathermap for
>> summary information. I think of a map of the opennic project made
>> in graphviz or compareable, that shows the current hierachy of
>> T0-T1-T2 with short summary boxes below them for integrity and
>> security checks. It could incomporate the following:
>>
>> - Availability % - Port Randomness? - Version hidden?
>
> I'm not sure if this is useful for your project, but since you
> mentioned maps, I wanted to point you to the GeoIP map project I
> worked on last year -- http://opennic.oss/geomap/geomap.php This
> could be useful for any map projects, as I have already worked out
> the scaling for the lat/lon placement of positions on the map.
>
>> Is there a authoritive source for T1 and T2 servers? Is it in the
>> glue zone? I guessed that dns.opennic.glue lists all T2.
>
>> From linux...
> T1 servers: dig opennic.glue NS | grep IN[[:space:]]A T2 servers: dig
> dns.opennic.glue AXFR | grep IN[[:space:]]A | grep -v
> ^dns.opennic.glue TLD list: dig +short TXT tlds.opennic.glue
>
>> What affirmation process is needed to be able to do
>> portscans/vulnerability scans with the OpenNIC servers? This can be
>> used to determine further security recommendations. AFAIK non
>> attack preparing portscans are legal from my country, but Id like
>> to discuss this first, to not hurt anyones feelings :)
>
> If you are doing in-depth testing that would normally trigger
> firewalls or IDS, it would be best to limit this in the final
> version. However if you need to check the results of a particular
> test as you develop your script, ask one of us on IRC, and we can let
> you know of any ill results or remove any firewall blocks that occur
> from your testing.
>
>
> -------- You are a member of the OpenNIC Discuss list. You may
> unsubscribe by emailing discuss-unsubscribe AT lists.opennicproject.org
>

Hi,

I was wondering what types of non-network related security measures
people are using to secure their servers?  For instance I use hardened
Gentoo which offers some great features like SELinux, RBAC, and the
GRsecurity and PaX patches for the Linux kernel.  These features can
be considered to be a second line of defense after network security
features.  For instance; if an attacker does manage to hack into a server
and gain control of a user or service account, SELinux/RBAC rules can
provide fine-grained access permissions which should stop further
privilege escalation.  The PaX team is responsible for pioneering ASLR
(Address Space Layout Randomization) and other counter-measures
which stop most forms of kernel hacking and return-to-libc type attacks.

Tully Gray.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iQIcBAEBAgAGBQJPpyHmAAoJEKNjRVNXXwT+xGQP/3muzj65ONqqifmYinVN7Qcf
pE3JhmMWBoqAa2qA0ELa2NGPzCdK1dz/FP+MDoxr+BE7SiZfeFyc1tYnPiZFGWib
o/VEGFIc00T8JG2EWBGXhOQKLpFOzaAzrnjnc9n6E2HjmXXwGpBzYthvVq4MMTzk
iL3iWOfnyyvvgpSVavP3DH+fq8IPKmf5D+VAPmVUCu5sREM5n/2i7bnjm2WImJOY
AW4G9uxXJcwcStzu39kKwY60q79Q6G2vpldc5wU+5dQjovFl50wFALgC/t0jjBCC
yRi9kNYiEfB/c1zFpmiESrX40Io+/KI6DcXJTyiizatoFLMvBzOaJf+IXk6H69Jy
PddbYsCYlmOa47ALXYBjV2eGnTjr9CKA6HxwWnWmKEHVBqLskSTO4d38Rf3y0euj
Y/C52HIE0syfmdX9YbeYInXEhGW6ZzfX23hawOrcg3JGNugcPT9+i2YaijsZtEIh
Ia+epOaTLa7Y8S9znTU7I3kK+Wu7tS8I2mM51hcmh6ihNSAYpeJfq9baLq6erePg
NkzXXuepM3A0RcjtY/TDoIxhytN63dQhhdkuHojcQCnCBByU0YNmzBvXeq5EaiLK
E2+KWPvtobJqwaldA0X308/ONsy+LhQMbmnd+4wXp1nkrBI0eFfRO9Y06SZ0eZ94
2GetSP+z5O0evgallOTF
=JnZP
-----END PGP SIGNATURE-----