Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: Penetration analysis?

  1. #11
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    unfortunately my browser didn't like that page. HTTP is blocked from outside. Limited clients can access it from inside. SMTP no fixup was recomended because of exchange behavior, yes. Thanks you for the input.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  2. #12
    Senior Member
    Join Date
    Jul 2001
    Posts
    420
    Not an expert in this area but the link does work if you remove the spaces (represented by %20) and the <br%20/>

    I tried to post the fixed link here but AO destroyed it by inserting the spaces and html formating

    Cheers,

    -D
    If you spend more on coffee than on IT security, you will be hacked. What\'s more, you deserve to be hacked.
    -- former White House cybersecurity adviser Richard Clarke

  3. #13
    Senior Member
    Join Date
    Jul 2001
    Posts
    420
    Not an expert in this area but the link does work if you remove the spaces (represented by %20) and the <br%20/>

    I tried to post the fixed link here but AO destroyed it by inserting the spaces and html formating

    Cheers,

    -D
    If you spend more on coffee than on IT security, you will be hacked. What\'s more, you deserve to be hacked.
    -- former White House cybersecurity adviser Richard Clarke

  4. #14
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Yep , that does work. Cheers. Great article.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  5. #15
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Yep , that does work. Cheers. Great article.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  6. #16
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Why do you use fixup ftp and http if these ports aren't open?
    Setup your ruleset like this:

    Allow rule (conduit permit tcp x.x.x.x eq smtp host y.y.y.y)
    deny everything else (conduit deny ip any any)
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #17
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Why do you use fixup ftp and http if these ports aren't open?
    Setup your ruleset like this:

    Allow rule (conduit permit tcp x.x.x.x eq smtp host y.y.y.y)
    deny everything else (conduit deny ip any any)
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #18
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    That's a damn good question, I guess it's there as a safety margine but it's not used so I'll take them out. I had considered the conduit command to deny everything. The initial startup command for the pix interface has it set to deny everything but an extra step would be beneficial to ensure unwanted packets are definitely denied. But I am thinking, if I go messing with the conduits I might as well conform to modern convention and switch to ACL controls. Of course just adding that deny line wouldn't hurt, so I did.

    To update everyone, I had a very generous AO member (thanks T.S.) scan me last night and with the running config posted here there are no open ports reported back. Although I did turn off the FTP server that was running in IIS on the mail server.

    //edit I think I spoke too soon on the fixup commands. They are enabled by default and if there are no vulnerabilities accociated with their use, would it make sense that if a packet did get through, you would want it to run through the fixup security engine for inspection? They are enabled by default and I know some recomend their removal if not used but I question the benefit of fixup exploits versus and active insepection of packets comming in that are orignated from inside, such as web browsing. Am i oversimplifying? The command is global affecting both inside and outside interfaces but I AM NOT a Cisco expert.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  9. #19
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    That's a damn good question, I guess it's there as a safety margine but it's not used so I'll take them out. I had considered the conduit command to deny everything. The initial startup command for the pix interface has it set to deny everything but an extra step would be beneficial to ensure unwanted packets are definitely denied. But I am thinking, if I go messing with the conduits I might as well conform to modern convention and switch to ACL controls. Of course just adding that deny line wouldn't hurt, so I did.

    To update everyone, I had a very generous AO member (thanks T.S.) scan me last night and with the running config posted here there are no open ports reported back. Although I did turn off the FTP server that was running in IIS on the mail server.

    //edit I think I spoke too soon on the fixup commands. They are enabled by default and if there are no vulnerabilities accociated with their use, would it make sense that if a packet did get through, you would want it to run through the fixup security engine for inspection? They are enabled by default and I know some recomend their removal if not used but I question the benefit of fixup exploits versus and active insepection of packets comming in that are orignated from inside, such as web browsing. Am i oversimplifying? The command is global affecting both inside and outside interfaces but I AM NOT a Cisco expert.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  10. #20
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    just finish my last observation, if http is open from inside to outside, you should take a look at "strict" parameters. That would avoid "embeded" ftp on http strings. Maybe this the origin from those ftp connections
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •