OK *NIX groupies

[obi]

Well 8trak, you got me laughing

Netbios was origanlly used by Novell over ipx/spx and Microsoft over netbeiu (sorry for the spelling, I try). The first instances of netbios over tcp/ip wern't available until the eraly 90's when IBM and Microsoft both came out with implementations for it.

Netbeiu is perfectly adequate for what it was designed for, LAN, it uses huge packets for speed etc. It was never designed to be used between 2 tin cans joined with a piece of string like tcp/ip was.

Maybe I wasn't clear enough, Netbios should NEVER be used across the Ineternet unless it is within a VPN. It should never be mapped to tcp/ip on an open Internet machine

As to never having a system compromised (again, apologies for the speeling errors), great, I'm happy for you

cheers

[Negative]

I can be wrong, obi, but I didn't know Novells ipx/spx used Netbios... IPX is a network layer protocol, and it uses IP-adressing... The SPX protocol gets its services from the IPX protocol. The IPX protocol is based on the Internet Datagram Packet (Xerox Network System). IPX and IDP packets have the same structure. Now, about those packets: those packets contain a destination socket field, which are used to specify the adress field associated with the higher OSI-process. Those values are defined by XEROX, and there actually does exist a NetBios value (455H)... But saying that IPX uses NetBios? Nah, I don't think so...

And about NetBEUI (NetworkBios Extended User Interface): NetBeUI uses Netbios-names, that's correct. It was designed for LAN, of course, 'cause NetBEUI packets are NOT routable, meaning they can't pass a router... 'It uses huge packets for speed'??? Speed? What speed? NetBEUI is forced to use broadcasts, because of the lack of logical adresses. The amount of broadcasts is enormous, meaning the original aim of NetBEUI ('up to 200 nodes!!!') is slightly exaggerated... From what I know, NetBEUI only can be used in networks with less than 10 hosts, only with MS clients and servers. And Microsoft was interested in NetBEUI because of the simplicity of the protocol (MS LAN Manager, remember?), there's no need for user intervention.

And what about NetBios over TCP/IP? NetBios indeed can use IPX, to avoid those NetBEUI problems. In WinNT for example, NetBIOS is inplemented in the API's, meaning you don't need NetBEUI anymore... NetBIOS doesn't need NetBEUI...

[obi]

You're right ipx/spx doesn't use netbios, it was implemented the other way around, it was the first alternative to netbeui available.

Yes netbeui is a flat address space, non-routable protocol. I don't think Microsoft ever thought there would be a need to connect more than a few machines

Yes netbios can use ipx/spx, but thats a little difficult to route across the Internet or any other tcp/ip based network. I think I was just trying to say to 8trak that netbios has its uses, but they are definatly not on the Internet

It always comes back to the age old problem, ease of use for the end-user vs security/cost/and other considerations. Its nice to be able to put a 1/2 a dozen drive letters on a standard corporate desktop machine to simplify ease of support from a central help desk, or peer support, but there are risks associated with implementing it incorrectly.

cheers

[hogfly]

guys, please read the first few posts for this topic. Its about securing *nix, not Netbios arguements and who first implemented it and how. So, move it to another thread or contribute to the TOPIC of this thread.
Thanks.

[obi]

hehe, true hog, sorry bout that, red herrings have always caught my attention

[lucentt]

That would be a pretty loose virgin. Windows has a limited configurability. *NIX has a little bit more flex when you need it. You could just shut down all ports or keep current with the updates and patches. It is a lot easier. My Win box locks up and gets more virus ridden than my linux box or the crappy sun box I have. How long did BO work again. How quickly did they come up with that fix. Didn't they deny the thing at first too.

[Ennis]

According to my investigation this site, www.antionline.com is running

Apache/1.3.20 on Windows 2000

This site however is pretty secure wouldnt you agree?

[lucentt]

I will admit that MS did an good job with wind2k. But, Antionline, being an internet security site would be more ontop of security issues and they probably actually apply patches and keep their eyes open. There is a human factor. But in the way of which os is more secure, I still hold linux as the winner.

[Gobinjf]

Hello Hogfly,

Here is my (little) contribution. I'm not an *nix-guru, not guru at all.

First of all
------------


- Disable any unnecessary services.

- Try to replace uncrypted with crypted (ssh instead of telnet etc)

- Try to stay at current level of patching for OS and offered services.

- Read greedily news forums about those products.

- Remove any "information giving" features (Ok, I didn't apply this one yet on my server.) For example, named gave kindly its version from a request in CHAOS class. Also, APACHE gives its version when prompting for a "GET /" or an unexisting page.

- Don't install unnecessary applications on a server. And at all, NO X-WINDOW if that can be avoided.

Second of all
-----------------

- Install tripwire or an equivalent to audit files and filesystem for any modification.

- At the installation, create a very granular file system with RO were it should be (/bin, /usr/bin and so on), /var on its own, /tmp also.

- Try to install strong PAM and shadow passwords. Some systems accept a library on PAM that will try to crack the password on password changes, and accept or refuse that password based on the easiness of the crack.

- Grab yourself a password cracker and try to hack your password. Use it on another system! (as it is very very resources consuming)

- Install some kind of host firewalling. Denying (or logging) icmp, and requests made to not offered and "known for flaws" services (for example : smtp, pop, telnet and so on)

- Install some kind of host IDS. Snort is quite cool for that, even if it is a NIDS rather than an IDS.



Ok, I agree that those are only a few steps in a long marathon. But be secure doesn't mean you can't be hacked, but that you respond to cracker's attack ... before they think of attacking!

Jean-Francois