[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 401
  • Last Modified:

Security practices and software Server 2003/linux

Hello,


I'm the network admin for the company I work for. Let me give a run down of our system.

Network:

We're on a full T1 connection that flows into a Sonic wall tz-170.
From there it’s piped into a Linksys 24 port switch and then to all the clients/servers.


1: SBS 2003 Standard edition. Serving as the domain controller and running our sharepoint website.
Currently Running AVG network edition.
I'd like some software that will log all access attempts, or possible hacking.
I know that event manager keeps a log but I'm looking for something 3rd party with some sort of tracing feature.

2. Our next server is a server 2003 standard edition. This is running our proprietary rental system from Texada Software.
Just need solid logging software.

3. Linux web server:
ANY IDEAS at all would be great. I'm not proficient with Linux, I do know how to install the OS and get apache serving pages beyond that I could use some real help. This box will strictly have forwarded traffic from our off-site hosted website. Basically people will go to our company website and then when they are ready to rent something they would be forwarded to our Linux server, which would pull the data from the Texada Software running on our MS server 2003 standard server. I have opted to use a Linux server for the website because I know it's superior for security reasons. I would have just used one of the other 2 servers but I would like to keep the website and our company data away from each other.


Any ideas or recommendations would be great. Also a Linux distro recommendation would also be nice.
Also if anyone knows of a way to allow our blackberrys to see our sharepoint site while out of the office
via the internet that would be GREAT.



0
kinetik20
Asked:
kinetik20
  • 6
  • 5
1 Solution
 
Ron MalmsteadInformation Services ManagerCommented:
For logging...I would suggest "WhatsUp Gold" Enterprise edition.....has syslog feature, and works with snmp.  This will log intrusion attempts on your routers, but you will still have to comb through the logs...or set notification rules for specific logged events (example: router A - remote host x.x.x.x failed port 25 static inside 152.x.x.x .

What's up gold.... Monitors for equipment going on and offline and has alerting features.

Your focus seems to be, "catching the bad guy", whereas you should focus on securing your system using "best practices".  One of these best practices would be a strong password policy.  Another important one is object/access auditing.  Finally, I would implement a WSUS server, to be sure all of your clients are up-to-date on security updates.  

Most hackers use methods that aren't really traceable.  For instance if I were to attempt a hack....I would utilize a machine or network that has already been comprimised.

PS:  the event viewer>security, can have alot of useful information if you configure "auditing" correctly.  I would suggest turning on object/access auditing in domain controller group policy >  local security.....and setup auditing on your sensitive data areas....   e.g. (wwwroot, file share, >>>>cmd.exe <<<<)....for authenticated users, and anonymous..... Setup your event viewer >security....to overwrite 7 days if full.  Keeps hackers from burying their tracks.

For free security tools, and forensics tools > www.foundstone.com


PS: PS: ...blackberry's aren't very web friendly.....I would suggest a pocket pc phone...such as Cingular 8125.  Also the email on cingular network uses realtime syncronization with exchange server.
0
 
kinetik20Author Commented:
I found some open source software to make viewing a sharepoint site via a blackberry better, its called berrypoint. Anyone ever heard of it? Also I'm still trying to find a good novice friendly linux distribution.
0
 
kinetik20Author Commented:
I Checked out WhatsUP Gold but its a bit to expensive for our application. Looking in the sub $500 area.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
Rich RumbleSecurity SamuraiCommented:
What about free? Snort is an open source IDS that is used the world over by many fortune 500 companies and millions of others. Snort works on win32 as well a linux. All you need to do is port-mirror or "span a port" to a NIC in the IDS server. Port-Mirroring bacically CC's every packet in/out of one switch port to another. So if you could span(mirror) the outside interface of your firewall to the IDS box, you'll see lot's of nifty and scary things. If your interested only with what makes it through the firewall, mirror the inside interface to the IDS. That way you don't trouble yourself with "what-if's" when looking at the outside. You can do both as well, you can see what is being attempted on from the internet in, and what actually makes it through the firewall, perhaps FTP username/password brute-forcing...

http://www.snort.org/
If your using cisco switches, the mirroring command is called span, well on catalyst switches anyway for other cisco switches read this:
http://www.cisco.com/warp/public/473/41.html
set span src_port dst_port   (set span 3/1 3/48  [port 3/1 is the inside firewall interface, and port 3/48 is the nic connection to the snort pc's second nic])

You'll want 2 nics in the snort box, one with an ip so you can access the BASE interface and see the alerts and stats and make changes to the snort box, and a second to be the listening "sniffing" port, no ip is necessary, as it only listens.

BASE and ACID are ok interfaces for snort, there are better ones but typically not free. Snort does have false positives and signatures that you may never be interested in using so it does take some upkeep and configuration initially, after that your pretty much good to go.
This is one of the easiest guides to follow for snort setup on linux http://www.snort.org/docs/setup_guides/snort_base_SSL.pdf
http://www.snort.org/docs/snort-win2k.htm#4
http://www.snort.org/docs/
-rich
0
 
kinetik20Author Commented:
What if i'm not running a managed switch? Can I still use snort?
0
 
Rich RumbleSecurity SamuraiCommented:
I'm not sure... what switch maker is it? Likely not... hubs can be used, if the traffic to/from the internet is small and can operate in half-duplex, like at 100/HD link or a 10/HD link that functions fine then a Hub will work.
-rich
0
 
kinetik20Author Commented:
I have a 24 port linksys switch.
0
 
Rich RumbleSecurity SamuraiCommented:
I don't see how the unmanaged switches for linksys could in a brief search. Cisco has quite a few good managed ones that are moderately priced, as well as linksys.
http://froogle.google.com/froogle?q=cisco+%2224+port%22+switch&btnG=Search+Froogle
-rich
0
 
kinetik20Author Commented:
I just picked up a managed netgear switch from a local computer shop here in town, thanks for the help. Do you have any recommendations as to a good Linux distro to use for a web server?





Thanks,

-Chris
0
 
Rich RumbleSecurity SamuraiCommented:
RedHat Fedora Core 5 works fine, it's very user friendly compared to the previous RH FedoraCore versions. Good for "newbies" as they say.
To keep the system up2date I recommend "yum", run through the install, choose apache, mysql during the setup, you can allow "selinux" security enhancments which are turned on by default.
As root:
yum update
You'll get a list of updates to apply, press y and enter. Then begin installing snort. yum -y install will automatically install the updates, no need to press "y"
The install doc I linked before is very step by step, and on linux the default PDF reader will allow you to copy and paste out of the PDF to the command line. There will be newer versions of the packages listed in the doc that you should probably get rather than the older ones it lists.

The win32 version is also very easy to install. I've not used netgear so you'll need to look up the command for the port mirroring or port spanning command.
-rich
0
 
kinetik20Author Commented:
Thanks!
0
 
Rich RumbleSecurity SamuraiCommented:
NP, yum -y update (i said install above) will install the updates automatically. "yum install package_name" works well  too
yum install mysql
yum install apache
Things like that. But the setup cd's will get you squared away with those two packages.
-rich
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now