Re: Linux firewall for a Samba || NT file server

[Jonathan Q <jq@example.com>]

Tim Hurman (kano-tlug@example.com) wrote:

> this may sound nuts but.... if you use ncftp, get the *latest* source
> (check regularly) and change it to print a fake version number. if you
> use an early version number, it means that potential intruders/script
> kiddies will try older vounerabilities and fail. security by obscurity.

There are two schools of thought on this: one that holds with the
above, one that holds with not doing that, on the grounds that 
if they try an exploit that they *know* should work on the version
number stated but it fails, that will only make (at least some of)
them work that much harder to find out why.  The worst thing, of
course, is that the ones who are encouraged to work harder to find out
why are the ones who think they have the talent to beat you.  The
next thing they do is try out every other exploit they know for that
program in any version.  Even if they all fail, the least that happens
is that your system spends more time under attack than it would if you
just showed them the real version and they had no exploits for it.

Look at the issues and make your own call, but I tend to be on the
"don't do that" side of the fence.  If you are running a version 
of <insert software here> that has no known vulnerabilities, you're
better off just showing it's version.  If you're running a version with
known vulnerabilities, you have bigger problems :-)

There are places where a bit of security can be an enhancer, but I
generally prefer to practice security through security, rather than
obscurity.  A bit of obscurity can add season to the dish, but it's
not a meal in itself.

A (GPLed) product you might want to take a look at for this
application is Virtual FTPD:

http://startuplinux.com/virtualftpd.html

It allows you to have virtual FTP users who have no actual
userid or password on your system.  This seems like a particularly
good complement to a Samba server, where you may also have users
who do not have an id and password on the underlying *nix system.
This gives you the benefit that if an ID and password should be
compromised, the damage that can be done is much more limited 
because they can't get a shell account.  This closes off all
exploits that require a local shell.

Of course, Virtual FTPD works for users who do have a local
login, too.

Twoftpd is something also maybe worth a look:

http://untroubled.org/twoftpd/

Finally, ditto on the comment to make an anonymous upload directory
write only.  You may find that warez dudes try to exploit it at first
(and periodically), so watch for and delete any bogons that crop up in
the upload directory, but they will give up when they find that files
check in but they don't check out.

Jonathan