Alan over at Still Secure, After All These Years posted a tip today about using a secure OS on your network, utilizing a host-based firewall, and automating OS patching.

Michael Farnum at An Information Security Place posted a tip today about due diligence (my post today ties into ‘due diligence’ nicely).

The ISC posted a tip today about securing SSHD. They have a number of great suggestions and I’d like to add these:

1. Utilize the Denyhosts application to protect SSHD by automatically blacklisting attackers. I wrote instructions about how to configure it earlier this year.
2. Use These settings in SSHD_config to further secure SSH

And now for my security tip: Know Your Network

Audit your networks for rogue services. Many times applications will install server-class applications, that’s applications that listen for and accept connections from remote machines. With SQLSlammer many of us discovered the hard way that many applications took advantage of MSDE, a free and distributable version of SQL server. Any time you have a service listening for remote connections, you have an attack point that can be exploited.

There are several port scanners out there for doing this. NMAP being one of the most popular and free scanners. You can even get a Windows version with a GUI (that I think over-complicates the process).

Superscan is another handy port-scanner that is free from Foundstone.

Don’t forget to scan all of your subnets, especially the ones you don’t expect to have anything running. Thats usually where you get bitten.

Another way of auditing your network for rogue services is by passively monitoring traffic. Many times this will also identify unknown services and/or protocols running on your network.

Some tools for this include ettercap, which can do a lot of cool stuff like ARP cache poisoning, MITM attacks, etc. NTOP (network TOP for you *nix folks) is another one I’ve used in the past to monitor network traffic. Wireshark is the new persona for the tried and true ethereal, a standard packet sniffer and protocol analyzer.

Now you have your work cut out for you; download some cool and free toys and start scanning your network and finding the attack points before the bad guys do!