Scanning Domino for security holes

This month's tip focuses on security scanners for Domino Web sites.

This month's tip focuses on security scanners for Domino Web sites. The bad guys have these tools, so you might

as well know about them too. But first, a note of caution before we get started:

You should only use security scanners on your own computers or for Web sites that you are paying someone else to host for you. In the latter case, let the hosting company know what you are doing first. Breaking this rule is bad ethics and will get you kicked off of many Internet service providers.

There are two kinds of security scanners I will discuss here: General scanners that can examine an arbitrary computer on the Internet; and scanning web sites that will examine the computer you are sitting at.

General Security Scanners
--------------------------

A general security scanner (often called a port scanner) is a program that rapidly attempts to connect to many ports on a particular server. The scanner then reports on which ports are open for connection and which are closed. Port scanners have many malicious uses. Crackers use scanners to look for open ports on target machines, then they attempt to break into the servers using available ports.

If you are trying to protect a server from attack, however, a port scanner can help you find vulnerabilities before the crackers find them. Then you can use a firewall, or the Domino server settings, to shut down the unneeded open ports. (Note: you need open ports for legitimate mail and browser connections: you just don't want unnecessary open ports.)

One drawback to port scanners is that they provide a lot of information, and it takes some expert skill to understand everything they tell you. However, the basic information -- a list of open ports -- is pretty easy to read and interpret.

Port scanner links
Below are two links that will help you get started with port scanners:
http://www.hideaway.net/Server_Security/Software/Browse_Categories/browse_categories.php?CurrentCategory=5
This site contains an excellent list of many port scanners for many different platforms.

http://www.atelierweb.com/pscan/index.htm
This site points to one of the most popular Windows-based scanners, which contains many advanced features.

Security Scanning Web Sites
-----------------------------

Scanning Web sites work in the same way as general port scanners, except that the scanning software is stored on someone else's Web site. You never have a copy of the scanning software yourself. Web sites that provide this service allow you to use their scanning software to examine the computer you are sitting at, without the need to get your own scanner.

ShieldsUp! -- from GRC, is one of the best scanning sites I have seen.

Here's how to use it:

1) If your Internet access is provided by a hosting company or IT department, tell them what you are planning to do.

2) Using your Web browser, go to http://www.grc.com.

3) Click on ShieldsUp! (You might have to scroll down to see this.)

4) Scroll down to the buttons labeled Test My Shields and Probe My Ports.

5) Press each button to activate the scanning software stored at GRC. You will see a report on your computer's vulnerabilities. (Note: The information you get here is of a basic nature and does not cover all possible security holes you might have.)

Chuck Connell is president of CHC-3 Consulting http://www.chc-3.com, a consultancy that helps organizations with all aspects of Domino and Notes, especially security.

This was first published in July 2001

Dig deeper on Domino Resources - Part 4

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchWinIT

Search400

  • iSeries tutorials

    Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...

SearchEnterpriseLinux

SearchVirtualDataCentre.co.uk

Close