[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Henry Bremridge wrote: > > I am trying to increase web-security at a company (I am a director). As > a non-techy does anyone know of a debian program that I can point at an > IP address and check the password / security? (Following on from which I > can jump, rant and scream and get them to improve their computer > security) When I worked for me (well Eighth Layer Limited) we did basic external audits, although we never sold too many I may have some notes on what I did as part of an audit if you care to see them. There was also a very good "open" guide to what a security audit should include for a network. I don't have a URL to hand, but it will be in my documentation I think. The audit we did primarily concentrated on the very obvious issues, including stuff like are the domains registered to the correct owner, and is the data current (whois), is the DNS correctly configured (dig + friends), are the DNS servers running a current version of the relevant DNS software, are they on separate logical and physical networks (dig, whois and nmap), do the required RFC2142 email addresses exist, and get answered (mailx checks on webmaster@ security@ etc). What webserver is being used? Is it recent/fully patched (wget/curl). Similar for SMTP. Of course it is the worst way to do an audit, far easier and better to do it from the inside. If your network is secure against unauthorised insiders, it is going to be secure against unauthorised outsiders, no matter how big the holes in the perimeter security. Better also to do audits with the current system administrators assistance, than to try and second guess what is happening. Penetration testing is I generally feel a "last level" of check, the first checks should make sure that you are presenting the minimum target necessary by ensuring things like patching, firewalling, administration and backups are being properly resourced. Good backup and recovery plans can make up for almost any other oversight. In our cases most of the network scanning was done with "nmap" (Debian package available), this just enumerates ports (actually it can do a lot more, but enumerating ports, and finger printing servers is a first step in an audit). If you want basic security checks against the site, Debian Sarge has "nessus" prepackaged. But I didn't even go this deep in the basic audits we did. Like Neil, I've no idea how to relate this to the "l0phtcrack" article. If you are exposing NT authentication to the web then you probably have other issues, but it will show up as open ports 137-139 on the nmap scan. Without proper firewalling Windows can be very chatty, sending all sorts of inappropriate authentication details around, but almost every firewall in existence kills port 137 to 139 dead as a default. Pretty much you can assume if these ports are exposed, and it isn't deliberate, then there is work to be done. Note by default "nmap" only scans a small selection of well known ports. There is also the issue that running nmap/nessus, may be against your ISPs T&C, and whilst it is unlikely your admins would turn you in, it does pay to let relevant people know in advance, as having to change ISP just because you tried to check your own security is a tad embarassing and inconvenient. And a simple typo, or getting the subnet mask wrong, on an nmap command line, and you can be scanning goodness knows who. Demon Internet were very understanding on this last point, and once issued me with "an explain what you are doing, or have service removed in 30 minutes" email, I phoned the abuse team, and explained it was authorised, and put them in contact with the relevant director, but that could easily have got out off hand. -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe. FAQ: www.dcglug.org.uk/linux_adm/list-faq.html