[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] News Server



Henning Petersen Wangerin wrote:

Standard security policy is to disable non-essential services, particularly when they are difficult or convoluted to protect. News: just like NFS is difficult to protect - so you firewall it in - end of story.


Yeah, but if, as you say your self, your firewall block port 119 (in and out) your server is still not able to get anything - alt least not more than the user himself is able to get from the net.


A workaround for this is to run your news server on a machine you can control. Allow *this* machine access to the 'Net with NNTP and then ;


DENY your terminal servers NNTP access to the 'Net
ALLOW your terminal servers NNTP access to your News Server.
DENY all other NNTP (port 119)

This will give you what you need, provided the users cannot hack the server to get other groups.


Even with these services protected - you still have client software running, with exceeedingly hazardous (to your career) material on the other side of your firewall. How will you guarantee the firewall remains secure ? How will you check if kids are attempting to get through it ? Do you watch the firewall logs for attempts at port 119 ? You must be able to detect a covert team of hax0rs on your network, because sooner-or-later there will be one.


Sure, but do you considder a php script running as a bbs-style web-service more secure than eg INN?

I cann't tell witch one is the most secure, and I double there are
many that will garantee you anything like that.


There is a difference ;


If users can hack your PHP script then they can break your web server. Most PHP groupware-type applications are well tested, but if users *do* crack it, they still don't have access to hazardous material.

If they successfully hack your News server - they only need to import one group... no question about it - and your name goes in the paper.. 8-/



It's my plan to combine it in my company using a news-server to
maintain archives of a number of mailinglists. But for those who don't
wanting news-access or prefering a bbs-style access they access the
news-server via a web-page.

Fine. but at a school, you had better have it correct - the first time.. or there will be headlines in the papers and it will have your name on it.


I totally agree, but I don't see how a general solution as a bbs-board contra a news-server make any diffence on your security.


as per the example above. If they break your PHP, your website will go weird, or worst case, go down. If they break your inn server, the entire school network is flooded with high quality porn in 10 minutes flat. This will be international news (if you will excuse the pun), I assure you.



Web services are a necessary evil, but we have a good tool for protecting that.


Yeah more or (I'd say) less.



less, definately. news savvy Kids *know* the names of the lists to download from.. For the exercise, my Wife and I spent an hour (at home) digging the web for access to xxx material. We found there was plenty of images that were not appropriate because of the context in which they were portrayed. However, we found near zero material that was high quality porn - everything required a credit card number, or else it was 80x120 pixels in 8 bits or less..


And then we duplicated our test on the newsgroups.. 5 minutes later we had 200+ images ready to download... and rapidly terminated that test...
and permanently blocked nntp in and out.




If you want it, there is no problem getting it, I'm sure - and the
kids wanting it, surely knows where to get it - despite your filters.



at school, that is *our* problem. I would like to safely let usenet in, but I haven't found a solution.



But as long as you don't let the big usenet come in, I really don't se the problem in the porn on usenet. The kids will not have better or worse access to that if, or if not you run a _local_ non-peering news-server.


for sure. If your NNTP server will not allow a client to subscribe, or create a new newsgroup, and the peering side of it is shutdown completely, and the config files are secure, AND the firewall blocks port 119 in/out, AND you have a script running to monitor it, you are safe.


Maintain your awareness though - you have naked flame on one side, and gasoline on the other. It's a beeeeg risk.. And if someone breaks it.... there's gonna be a hua[1] of a boooom! with parts landing everywhere..


Sorry about the Lecture.. 8-} Call me paranoid... 8-)




kind regards,
Steve


"hua of a" = local slang for "a really big" one. hua pronounced "<long>hoo <short>uh"






[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]