gmane.comp.security.basics

Re: secure and simple file server

2013-03-29T10:44:43

Hi Peter,

If AD cannot be used to implement the necessary security around your folders, then you need a third party folder/files security solution. There are many of them in the market ranging from the low ends to high solutions like Imperva FAM. Use google to do some research on it.

Good luck!,

Ugo
Sent from my BlackBerry wireless device from MTN

-----Original Message-----
From: Peter Odigie <peterquid< at >gmail.com>
Sender: listbounce< at >securityfocus.com
Date: Wed, 27 Mar 2013 20:27:44 
To: <security-basics< at >securityfocus.com>
Subject: secure and simple file server

Hi All!

I will like to get your suggestions.

I have been asked to set up a file server on a windows OS not using
any active directory stuff. Just a simple file sharing stuff in which:

Person A will be the only one to put a file into Folder A but will
also be able to get files from Folder B & C. And the same will hold
for person B and person C - a folder can only be edited by a
particular person/group but all can access

Re: secure and simple file server

Ansgar Wiechers — 2013-03-29T09:57:12

File system permissions:
------------------------
Grant read access on the parent folder to "Authenticated Users" or
"Everyone", and have the subfolders inherit that ACL. Grant full control
on each immediate child folder to just the user who is supposed to be
able to write to it.

Share permissions:
------------------
Share the parent folder and grant full control to "Authenticated Users"
or "Everyone". Actual access is controled by file system permissions
anyway, so this setting only has marginal impact on security.

The above can be achieved with both Windows or Samba. On Windows I'd
suggest to also enable access-based enumeration, so that a user will
only see files/folders he can actually access.

Note that without an AD you'll need to create all users on the file
server.

Regards
Ansgar Wiechers

secure and simple file server

Peter Odigie — 2013-03-27T19:27:44

Hi All!

I will like to get your suggestions.

I have been asked to set up a file server on a windows OS not using
any active directory stuff. Just a simple file sharing stuff in which:

Person A will be the only one to put a file into Folder A but will
also be able to get files from Folder B & C. And the same will hold
for person B and person C - a folder can only be edited by a
particular person/group but all can access and get files from it.

My question is how will one implement this securely, making sure
person B cannot edit files in folder A for example.

I am open to commercial, opensource & windows-native implementations.

Thanks!

Peter

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase

Re: Running AV via SSH? (Was: Re: Bad Antivirus)

Jeffrey Walton — 2013-02-18T22:06:56

+2

Jeff

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Re: Running AV via SSH? (Was: Re: Bad Antivirus)

Michael Peppard — 2013-02-18T20:59:39

On 02/16/2013 06:59 PM, Tracy Reed wrote:
Someone is going to fix the problem, regardless. It's your departments 
job to fix computer problems.

They (help support staff) do a root cause analysis. It could be an 
enduser installed software your firewall or sniffer is reacting to. It 
could be settings that over a phone call could be interpreted as a 
virus. It could be a problem with a software update. It could be many 
things hardware and software related. The least statistically probable 
is a virus that wasn't detected. Least probable and most probable don't 
matter to a root cause analysis, except the order you check the causal 
tree branches.

If it's a virus or rootkit based on observed behaviour or changes to the 
computer or a pattern of problems that indicate spreading on the network 
etc etc then you run a backup of the profile from the bootable CD you've 
been using and reinstall from a network image. After getting a sample of 
the virus for one of the antivirus companies you deal with. You shoul

Re: Running AV via SSH? (Was: Re: Bad Antivirus)

Tracy Reed — 2013-02-16T23:59:27

On Thu, Feb 14, 2013 at 06:26:29AM PST, Michael Peppard spake thusly:

So if the antivirus does not detect anything, what is your next step?


I would say the machine has to be reinstalled. And I always recommend reinstall
regardless of whether the AV says it has "cleaned" the machine.


What's more important? The end-users kittens or the security of the enterprise?
If your execs don't understand and support you on this you are sunk anyway.

Re: Running AV via SSH? (Was: Re: Bad Antivirus)

Michael Peppard — 2013-02-14T14:26:29

The scan is a stopgap for killing the functionality of the virus and to 
get information on the virus, it's not the first or last line of 
defence. It's usually enough to allow you to get on the infected machine 
with enough information to tackle the next steps.

If the virus makes it past the antivirus, the antivirus has to be 
reinstalled at a minimum. If the virus is unknown or has a rootkit which 
all your antivirus/rootkit tools are incapable of getting rid of then 
the machine has to be rebuilt off a clone for that type of desktop or 
server. I have occasionally had to send in a new type of virus to the 
antivirus maker when changes are made to the OS, something is obviously 
spitting out connection attempts, or functionality has been compromised 
and the antivirus doesn't work. Not very often, but it has happened a 
few times.

Why bother trying to save the machine? Because endusers get fussy when 
they can't get kitten emails from their friends all day.

As far as a virus being unknown to the western

Re: Running AV via SSH? (Was: Re: Bad Antivirus)

Tracy Reed — 2013-02-13T16:31:01

On Mon, Feb 11, 2013 at 12:08:23PM PST, Michael Peppard spake thusly:

Just out of curiosity: How do you verify the virus is dead?

Re: Running AV via SSH? (Was: Re: Bad Antivirus)

Michael Peppard — 2013-02-11T20:08:23

Oh, I only use it when it makes it through the firewall anti-virus and 
kills the local anti-virus. It's not my first line of defence, or last 
line for that matter.

I do have DVDs, lots of disks to clone/restore, backup user data, check 
for viruses, scrub drives, check disk, motherboard, cpu and memory, 
reinstall operating systems, but only a few anti-virus programs that 
have subscriptions. If the anti-virus doesn't work locally, remote 
access has so far worked every time. I expect that to change one day, 
but for now it's pretty convenient and the network doesn't even notice. 
I scan all the network drives nightly and use roaming profiles that are 
scanned too. If you are familiar with roaming profiles, if they don't 
kill the network, running an antivirus remotely a few times a year isn't 
going to.

You don't have to do it if you don't want to. It works for me and I do 
verify the virus is dead.

-Mike

On 02/09/2013 05:07 PM, Terrence O'Connor wrote:

-----------------------------------------------

Re: Running AV via SSH? (Was: Re: Bad Antivirus)

Terrence O'Connor — 2013-02-09T22:07:34

Yikes super inefficient.  You are basically streaming all the files back to the scanner (duplicating all data)!  Don't do it!

On Feb 8, 2013, at 7:41 PM, Alois Mahdal <alois.mahdal.1-ndmail< at >zxcvb.cz> wrote:


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

Re: Running AV via SSH? (Was: Re: Bad Antivirus)

Alois Mahdal — 2013-02-09T00:41:43

On Mon, 04 Feb 2013 09:13:37 -0500
Michael Peppard <mpeppard< at >impole.com> wrote:


I actually thought that you mean logging in to the box via ssh, and
then running an AV *there* under sshd, just like you would run anything
else.  In case of normal Joe's workstation, that would of course hardly
help with more than the distance you need to walk.

Now I see that what you suggest is just sharing the files via network
(e.g. SSH/SFTP) and scanning them remotely.  But as others have pointed
out, if that was to work, you would probably need to share like "root
access to /", which seems like a very crazy idea.

What I'd suggest is:

*   if you can access the machine physically

    1.   grab a couple of bootable AV CDs from different vendors

    2.   with each of them, reboot and scan and research

    3.   decide what to do.

*   otherwise restoring from backup is probably the only option

    In many cases this might be safer or even easier solution
    (congrats if you *do* have easily restorable backups), but you

Re: Question about passwd file (Linux)

Nikhil Wagholikar — 2013-02-08T15:55:05

Please read about PWCONV and PWUNCONV commands in Linux.

On 8 February 2013 17:54, Arpita Gavshinde <AGavshinde< at >securview.com> wrote:

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------

RE: Question about passwd file (Linux)

Erik Soosalu — 2013-02-08T14:23:36

man 5 passwd will give you your answers if you have your man pages
installed.

-----Original Message-----
From: listbounce< at >securityfocus.com [mailto:listbounce< at >securityfocus.com]
On Behalf Of Arpita Gavshinde
Sent: Friday, February 08, 2013 7:24 AM
To: security-basics< at >securityfocus.com
Cc: Amol Sable
Subject: Question about passwd file (Linux)

security-basics< at >securityfocus.comHi all,

I have a question about passwd file in Linux where when 'x' for a
particular user is deleted from /etc/passwd file, system doesnot ask for
password to log into the system. But when pasword is set again for that
user again, then instead of showing 'x' in /etc/passwd file, MD5 hash of
new password is shown. Why is it so ?

Thanks in advance

Confidentiality: This e-mail and any attachments may be confidential and
may also be privileged. If you are not an intended named recipient,
please notify the sender immediately and do not disclose the contents to
another person use it for any purpose, or store or copy the information
in a

Re: Question about passwd file (Linux)

Gustavo Castro — 2013-02-08T14:20:46

Arpita:

  That depends on the system's configuration. Usually, the encrypted
password ends on the /etc/shadow file, not on the /etc/passwd, but you
can decide where it will be stored, and change the configuration and
password storage method using pwconv and pwunconv. Check those
command's manual to learn more about the process.

Cheers,
  Gustavo

2013/2/8 Arpita Gavshinde <AGavshinde< at >securview.com>:

Re: Question about passwd file (Linux)

Matthew Caron — 2013-02-08T14:22:53


On 02/08/2013 07:24 AM, Arpita Gavshinde wrote:

Right, because it's now an empty password.


Right, because you've set a password.


Why wouldn't it be so? I guess I don't understand what you're asking or 
what you want to have happen.

Re: Question about passwd file (Linux)

Mavrofidis Manolis — 2013-02-08T14:18:01

Στις 8/2/2013 2:24 μμ, ο/η Arpita Gavshinde έγραψε:
X indicates that there is a passowrd set which can be found in the
/etc/shadow file. In general, passwords are stored in the etc/shadow
file and usually they are stored using crypt(). You can check the manual
and the parameter it takes to figure out if it is md5 hash or sha1 or
whatever.


Mavrofidis Manolis


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1

Question about passwd file (Linux)

Arpita Gavshinde — 2013-02-08T12:24:03

security-basics< at >securityfocus.comHi all,

I have a question about passwd file in Linux where when 'x' for a particular user is deleted from /etc/passwd file, system doesnot ask for password to log into the system. But when pasword is set again for that user again, then instead of showing 'x' in /etc/passwd file, MD5 hash of new password is shown. Why is it so ?


Thanks in advance

Confidentiality: This e-mail and any attachments may be confidential and may also be privileged. If you are not an intended named recipient, please notify the sender immediately and do not disclose the contents to another person use it for any purpose, or store or copy the information in any medium.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You wil

Re: Linux Web Server Hardening (LAMP + Wiki)

Adam Pal — 2013-02-05T08:24:28

I can agree with only one sentence within your statement: 
"Security is an attitude."
So why are you trying then so hard to link the security-topic to an operating system?
It does not depend on the system, more on the knowledge of the person operating it. Period.

We are both OOT since the original poster asked clearly for hardening linux web server, not what the "better" underlying system might be.

best regards,
Adam Pal

-------- Original-Nachricht --------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encr

Re: Linux Web Server Hardening (LAMP + Wiki)

Eric Furman — 2013-02-05T00:13:25

My point was that Microsoft has fixed the security issues with their
windows system while X has refused to even acknowledge there
is a problem. It was to back up my point about how even Microsoft
has taken security more seriously than Linux.
And yes, my initial email was a troll, but it did not change the fact
that
it is true. Security is an attitude. It is not something added after the
fact.
And the prevalent attitude toward security in the vast majority of the
Linux
community is indifference at best and open hostility at worst.
(top posting just to annoy Mr. Wiechers)

On Sat, Feb 2, 2013, at 05:46 AM, Ansgar Wiechers wrote:

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a

Re: Linux Web Server Hardening (LAMP + Wiki)

Jeffrey Walton — 2013-02-04T20:53:57

Hi Steve,

Well, I'm not an X expert (or Linux hardening for that matter), but
this would surprise me if its because "X is insecure" (for some
reasonable definition of secure). I would expect X to be its own
island of security.

I like point and click because I don't like man pages :) They seem to
have become mutually exclusive.

Jeff

On Sat, Feb 2, 2013 at 8:25 PM, Steve Elkins <stevee< at >epits.com.au> wrote:

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinc

Re: Running AV via SSH? (Was: Re: Bad Antivirus)

!s3grim — 2013-02-04T17:38:59

Thus having said you've made an assumption about the sshd and the kernel as well: Neither of of them will be corrupted by an virus. Can you nowadays be sure about that? If you ask me, there's no difference between scanning for files local (online) and scanning remotely, but the time and bandwidth consumption and the amount you want to spend for some licenses. 

Keep in mind, if your files got infected there's nothing you can trust on that system. Set it up from the scratch or from known 'good' backups, having the latter quite difficult to be determined. 




Am 04.02.2013 um 15:13 schrieb Michael Peppard <mpeppard< at >impole.com>:


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use