are these BIND errors....
Brad Knowles
brad.knowles at skynet.be
Thu Jun 28 23:51:45 UTC 2001
At 4:08 PM -0700 6/28/01, Gary Kline wrote:
> When I first jumped into BIND and running my own nameserver, *etc*,
> a friend suggested that the ``log_in_vain'' entry would let me
> track all the would be crackers.
This option is good at letting you see probing activity, and
other real connection attempts. However, attackers now use much more
intelligent methods to see what is on a machine, and they can usually
only be detected by tools that work at a much lower level in the
TCP/IP stack -- such as firewalls.
> Before a few months ago I was
> snug and secure behind my worksite's firewall... then, security
> wasn't an issue. Security is very much an issue and I'm still
> on the edge of a learning curve.
Yup. I'd encourage you to run firewall software of your own on
each and every one of your publicly accessible servers, and have them
all configured to allow only the specific traffic you know that the
machine should be seeing, and refusing all the rest.
I know that this is a lot of work, but you can't depend on
everything being behind a single network firewall, and that network
firewall protecting you from all attacks -- if someone manages to get
into a machine behind the firewall, then they have complete
unrestricted access to your entire network.
However, with host-level firewalling on each public server, once
they break through the front door, they find that all the doors in
the hallways beyond are also themselves locked, and this poses a more
difficult task for them to attempt.
--
Brad Knowles, <brad.knowles at skynet.be>
/* efdtt.c Author: Charles M. Hannum <root at ihack.net> */
/* Represented as 1045 digit prime number by Phil Carmody */
/* Prime as DNS cname chain by Roy Arends and Walter Belgers */
/* */
/* Usage is: cat title-key scrambled.vob | efdtt >clear.vob */
/* where title-key = "153 2 8 105 225" or other similar 5-byte key */
dig decss.friet.org|perl -ne'if(/^x/){s/[x.]//g;print pack(H124,$_)}'
More information about the bind-users
mailing list