How risky is it to have a web server on the internal LAN?

Peter <occassionally-(E-Mail Removed)> considered Thu, 01 Dec
2011 09:13:11 +0000 the perfect time to write:

>
>alexd <(E-Mail Removed)> wrote
>
>>> The SSL VPN comes in on a different IP (not in that subnet) and I
>>> think this provides a little bit more security, because that IP is not
>>> readily discoverable using WHOIS etc.
>>
>>Unless you're being specifically targeted, I doubt a search for an entry
>>point starts with a whois lookup.
>
>I was thinking of exactly that as being the main risk
>
>>> In this case you can assume the client computer will never get
>>> compromised.
>>
>>Er right. I assume this client never gets switched on, then?
>
>It is a laptop in my physical possesion. If it gets nicked, I will go
>and change the passwords. Not that the SSL logins etc are (openly)
>stored on it anyway (they might be caught in the swapfile, as
>usual...)
>
>>> The web server must have an admin login, and if somebody cracks that,
>>> they can vandalise the server, or put some code of their choice on it,
>>> but for what purpose?
>>
>>IME, hosting phishing sites, sending spam and using your bandwidth to launch
>>DoS attacks.
>
>Sure.
>
>>> It was the VPN which concerned me but I cannot see the security hole -
>>> assuming the router has no stupid bugs.
>>
>>A publically available login prompt always has the potential to be a
>>security hole.
>
>Of course, but they still have to log in
>
>Are you saying that there is no remote admin login on microsoft.com,
>anywhere?
>
>I doubt it.
>
>Otherwise you would have to have the sysadmin drive to the server site
>to fix anything.

That's pretty common on major sites actually - if you have 24/7
support on site why run the risk of doing it any other way?

If you aren't big enough to run 24/7 on-site support some ports can be
firewalled to only be accessible to particular known IP addresses, but
that isn't as secure as console only access, and should be recognised
as a risk that needs watching.

Either way, nothing in the way of a login prompt will be visible to
the great unwashed.

Phil W Lee wrote:
> Peter <occassionally-(E-Mail Removed)> considered Thu, 01 Dec
> 2011 09:13:11 +0000 the perfect time to write:
>
>> alexd <(E-Mail Removed)> wrote
>>
>>>> The SSL VPN comes in on a different IP (not in that subnet) and I
>>>> think this provides a little bit more security, because that IP is not
>>>> readily discoverable using WHOIS etc.
>>> Unless you're being specifically targeted, I doubt a search for an entry
>>> point starts with a whois lookup.
>> I was thinking of exactly that as being the main risk
>>
>>>> In this case you can assume the client computer will never get
>>>> compromised.
>>> Er right. I assume this client never gets switched on, then?
>> It is a laptop in my physical possesion. If it gets nicked, I will go
>> and change the passwords. Not that the SSL logins etc are (openly)
>> stored on it anyway (they might be caught in the swapfile, as
>> usual...)
>>
>>>> The web server must have an admin login, and if somebody cracks that,
>>>> they can vandalise the server, or put some code of their choice on it,
>>>> but for what purpose?
>>> IME, hosting phishing sites, sending spam and using your bandwidth to launch
>>> DoS attacks.
>> Sure.
>>
>>>> It was the VPN which concerned me but I cannot see the security hole -
>>>> assuming the router has no stupid bugs.
>>> A publically available login prompt always has the potential to be a
>>> security hole.
>> Of course, but they still have to log in
>>
>> Are you saying that there is no remote admin login on microsoft.com,
>> anywhere?
>>
>> I doubt it.
>>
>> Otherwise you would have to have the sysadmin drive to the server site
>> to fix anything.
>
> That's pretty common on major sites actually - if you have 24/7
> support on site why run the risk of doing it any other way?
>
> If you aren't big enough to run 24/7 on-site support some ports can be
> firewalled to only be accessible to particular known IP addresses, but
> that isn't as secure as console only access, and should be recognised
> as a risk that needs watching.
>
> Either way, nothing in the way of a login prompt will be visible to
> the great unwashed.

MM. I found that I had rebooted my VPS and I hadn't installed persistent
firewall rules, so it had in fact been 'open' on the net for 14 days..

NO one got in.

There was signs of massive dictionary attacks on the ssh and ftp
ports.Some form China, a lot from the UK.

No one seems to have found my password. Or my name even.

So even basic name/password can defeat most people it seems.


WE always had three levels of access to our remotely hosted kit.

If it was up and running ssh or telnet.

If it had crashed, we had a terminal server we loged into, that had a
serial console access. If the internet was down, that had an auto answer
modem on a particular phone number.

After that there we used to have to go down to physically reboot kit
occasionally, till we found a device that you could phone up and cause
power relays to work... after that we never went onto the machines at
all, until they needed extra hardware etc.

IME hackeed sites and hacked m,aches are simply because too many people
who know little or nothing are running them..I've seen people scanning
my wbesites looking for 'site builder' programs that the hope are there,
that are terrifyingly vulnerable.

Someone I knew didn't change his password even after being hacked the
third time?

He fell out with someone. They were seen parked across the street for
hours by the landlady... 'what was the point of that?' he asked 'using
your wifi, you haven't changed the password have you?').


Wifi, especially PUBLIC wifi is so glaringly terrifyingly insecure that
I am surprised anyone uses it.

Years ago WE had a system,whereby if you entered your name and password
into the firewall, your IP address would be allowed past for the
duration....to whatever level your name was allowed by preset rules.

I suppose that's sort of what a VPN is in its effect.

The Natural Philosopher <(E-Mail Removed)> wrote

>MM. I found that I had rebooted my VPS and I hadn't installed persistent
>firewall rules, so it had in fact been 'open' on the net for 14 days..
>
>NO one got in.
>
>There was signs of massive dictionary attacks on the ssh and ftp
>ports.Some form China, a lot from the UK.
>
>No one seems to have found my password. Or my name even.
>
>So even basic name/password can defeat most people it seems.

A dictionary attack can do only so much. If you pick 4 or 5 letters
and a couple of numbers, no dictionary words, no attack is going to
find it especially if the login takes a second or two to come back.

You HAVE to pick suitable passwords, because no matter what you do,
somebody will find the login. It doesn't matter whether it is an IPSEC
VPN, PPTP VPN, L2TP VPN, remote admin over HTTPS, an SSL VPN. All
these will be discovered instantly, and anybody who knows the protocol
can run a dictionary attack against it.

The only way I can think of of blocking that is to have a system
whereby you send e.g. an SMS to the server to tell it you are about to
login. The mobile # would be unpublished obviously, and not even
registered (SIM bought off Ebay etc). But SMS often fails to get
through...
>
>WE always had three levels of access to our remotely hosted kit.
>
>If it was up and running ssh or telnet.
>
>If it had crashed, we had a terminal server we loged into, that had a
>serial console access. If the internet was down, that had an auto answer
>modem on a particular phone number.
>
>After that there we used to have to go down to physically reboot kit
>occasionally, till we found a device that you could phone up and cause
>power relays to work... after that we never went onto the machines at
>all, until they needed extra hardware etc.

I've got that. Over GSM. Costs about £150.

>IME hackeed sites and hacked m,aches are simply because too many people
>who know little or nothing are running them..I've seen people scanning
>my wbesites looking for 'site builder' programs that the hope are there,
>that are terrifyingly vulnerable.
>
>Someone I knew didn't change his password even after being hacked the
>third time?
>
>He fell out with someone. They were seen parked across the street for
>hours by the landlady... 'what was the point of that?' he asked 'using
>your wifi, you haven't changed the password have you?').
>
>
>Wifi, especially PUBLIC wifi is so glaringly terrifyingly insecure that
>I am surprised anyone uses it.

It should be OK over a VPN though.

>Years ago WE had a system,whereby if you entered your name and password
>into the firewall, your IP address would be allowed past for the
>duration....to whatever level your name was allowed by preset rules.
>
>I suppose that's sort of what a VPN is in its effect.

The Draytek 2955 does one-time passwords, which seem (I've not tried
it) to use a fixed 4-digit PIN, plus some shared secret.

Peter wrote:
> The Natural Philosopher <(E-Mail Removed)> wrote
>
>> MM. I found that I had rebooted my VPS and I hadn't installed persistent
>> firewall rules, so it had in fact been 'open' on the net for 14 days..
>>
>> NO one got in.
>>
>> There was signs of massive dictionary attacks on the ssh and ftp
>> ports.Some form China, a lot from the UK.
>>
>> No one seems to have found my password. Or my name even.
>>
>> So even basic name/password can defeat most people it seems.
>
> A dictionary attack can do only so much. If you pick 4 or 5 letters
> and a couple of numbers, no dictionary words, no attack is going to
> find it especially if the login takes a second or two to come back.
>
> You HAVE to pick suitable passwords, because no matter what you do,
> somebody will find the login. It doesn't matter whether it is an IPSEC
> VPN, PPTP VPN, L2TP VPN, remote admin over HTTPS, an SSL VPN. All
> these will be discovered instantly, and anybody who knows the protocol
> can run a dictionary attack against it.
>
> The only way I can think of of blocking that is to have a system
> whereby you send e.g. an SMS to the server to tell it you are about to
> login. The mobile # would be unpublished obviously, and not even
> registered (SIM bought off Ebay etc). But SMS often fails to get
> through...

Latterly before we sold the box we were selling one time password things
- like the banks use.

Press the button up comes a 16 digit code for the time period. In it
goes and off you go.



>> WE always had three levels of access to our remotely hosted kit.
>>
>> If it was up and running ssh or telnet.
>>
>> If it had crashed, we had a terminal server we loged into, that had a
>> serial console access. If the internet was down, that had an auto answer
>> modem on a particular phone number.
>>
>> After that there we used to have to go down to physically reboot kit
>> occasionally, till we found a device that you could phone up and cause
>> power relays to work... after that we never went onto the machines at
>> all, until they needed extra hardware etc.
>
> I've got that. Over GSM. Costs about £150.
>
>> IME hackeed sites and hacked m,aches are simply because too many people
>> who know little or nothing are running them..I've seen people scanning
>> my wbesites looking for 'site builder' programs that the hope are there,
>> that are terrifyingly vulnerable.
>>
>> Someone I knew didn't change his password even after being hacked the
>> third time?
>>
>> He fell out with someone. They were seen parked across the street for
>> hours by the landlady... 'what was the point of that?' he asked 'using
>> your wifi, you haven't changed the password have you?').
>>
>>
>> Wifi, especially PUBLIC wifi is so glaringly terrifyingly insecure that
>> I am surprised anyone uses it.
>
> It should be OK over a VPN though.

It should be over any SSL, but who always uses it? lets face it maybe
you are logging into amazon in clear, and the password is 'of a similar
shape' to the one you used for SSL. Now they have a user name, and a
password that you have at least used somewhere else. To attack your SSL
logins with

For example, if you knew my user name you are already HALF WAY across a
dictionary attack..

So lets say my username is 'ingnoramus' and I used a password 'geraniums4u'

What chance I have used that use name elsewhere, and a password rather
like that..roses4us..ie.e two dictionary words with a digit in between.
That's a HUGELY significant fact.

Nope. I dont like public wifi. And I am not much impressed with the wifi
here in the house, despite the fact its encrypted. Too many mates have
laptops with it encoded in from when they were staying. It stays OFF
until someone wants it ON.

>
>> Years ago WE had a system,whereby if you entered your name and password
>> into the firewall, your IP address would be allowed past for the
>> duration....to whatever level your name was allowed by preset rules.
>>
>> I suppose that's sort of what a VPN is in its effect.
>
> The Draytek 2955 does one-time passwords, which seem (I've not tried
> it) to use a fixed 4-digit PIN, plus some shared secret.

That's a good system too.

Anything that doesn't reveal a shared secret is pretty secure usually,
especially if its hashed to buggery.

Really shared secrets are the only secure thing there is..

But that's what a good password is. And the key to good passwords are
that they are something you, and only you an remember easily. And no one
else can possibly guess.

So ro(Ig$sdq!" is rubbish, because you will never remember it.


But hcy139!sunbeam!cymru - a combination of a car number, the car and
the place.. all since passed from living memory except yours..thats a
better bet altogether..

In article <jbaugh$7c5$(E-Mail Removed)>,
The Natural Philosopher <(E-Mail Removed)> wrote:
>
>But that's what a good password is. And the key to good passwords are
>that they are something you, and only you an remember easily. And no one
>else can possibly guess.
>
>So ro(Ig$sdq!" is rubbish, because you will never remember it.
>
>But hcy139!sunbeam!cymru - a combination of a car number, the car and
>the place.. all since passed from living memory except yours..thats a
>better bet altogether..

http://xkcd.com/936/

Gordon

Gordon Henderson <gordon+(E-Mail Removed)> wrote

>In article <jbaugh$7c5$(E-Mail Removed)>,
>The Natural Philosopher <(E-Mail Removed)> wrote:
>>
>>But that's what a good password is. And the key to good passwords are
>>that they are something you, and only you an remember easily. And no one
>>else can possibly guess.
>>
>>So ro(Ig$sdq!" is rubbish, because you will never remember it.
>>
>>But hcy139!sunbeam!cymru - a combination of a car number, the car and
>>the place.. all since passed from living memory except yours..thats a
>>better bet altogether..
>
>http://xkcd.com/936/
>
>Gordon



Ah but can you really test passwords at 1000/sec?

I thought most login screens were far too slow for that.

If you can nick the hash itself then obviously you can run an attack
on it very fast indeed - perhaps microseconds per combination. And
that has been done, and I bet there are tools just for that job.

Gordon Henderson wrote:
> In article <jbaugh$7c5$(E-Mail Removed)>,
> The Natural Philosopher <(E-Mail Removed)> wrote:
>> But that's what a good password is. And the key to good passwords are
>> that they are something you, and only you an remember easily. And no one
>> else can possibly guess.
>>
>> So ro(Ig$sdq!" is rubbish, because you will never remember it.
>>
>> But hcy139!sunbeam!cymru - a combination of a car number, the car and
>> the place.. all since passed from living memory except yours..thats a
>> better bet altogether..
>
> http://xkcd.com/936/
>
> Gordon

Car number plates are better than average, especially ones from long ago
that no one is familiar with: words separated by punctuation are good,
especially if the words are unconnected.

Peter wrote:
> Gordon Henderson <gordon+(E-Mail Removed)> wrote
>
>> In article <jbaugh$7c5$(E-Mail Removed)>,
>> The Natural Philosopher <(E-Mail Removed)> wrote:
>>> But that's what a good password is. And the key to good passwords are
>>> that they are something you, and only you an remember easily. And no one
>>> else can possibly guess.
>>>
>>> So ro(Ig$sdq!" is rubbish, because you will never remember it.
>>>
>>> But hcy139!sunbeam!cymru - a combination of a car number, the car and
>>> the place.. all since passed from living memory except yours..thats a
>>> better bet altogether..
>> http://xkcd.com/936/
>>
>> Gordon
>
>
>
> Ah but can you really test passwords at 1000/sec?
>

Not with the three second lags on a typical login screen


> I thought most login screens were far too slow for that.
>
> If you can nick the hash itself then obviously you can run an attack
> on it very fast indeed - perhaps microseconds per combination. And
> that has been done, and I bet there are tools just for that job.

Yup. The classic was pimply student with user login grabs /etc/passwd,
world readable, and proceeds to do just that, concentrating on the root
password.

Which is why later *nixes used a password file tat wasn;t world readable
- /etc/shadow IIRC - and there was some way to query it for a match, but
not to read it as a user.