Crap...I don't want a holy war either.
But sheesh...don't say things like the following statement:
> out of the box. I would like to see a custom install on win32 instead of
> click here to continue.
Have you even installed Windows? There is. It's called 'Custom' install
and you only select operating system and utilities you want. There is no
ftp, telnet, http, or ANY client accessible services unless you check the
'Install IIS' box. There is authenticated login for shares such as c$ which
only administrator of the local box or if it's on domain, admin group of
domain can attach to. Even then, it requires guessing password and guest is
disabled by default. X strikes you're out if you go into user manager & set
it. I'm not saying it's more secure, but more secure than non NT people
give it credit to be.
My install has the O/S, hyperterminal, telnet client, and an unconfigured
web browser as a standalone box with no shares. Netbios is disabled so the
box isn't even seen on the browse list. Packet filters deny all except the
ports I want coming in. Last I read, Redhat was right up there with NT as
preferred box to hack.
Sigh...I hesitate to send this but the "narrow minded" comment was followed
by another one with a false statement.
----- Original Message -----
From: "Elijah Savage" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 22, 2001 10:36 AM
Subject: Linux Security
> I know its off topic, but I hate such narrow minded comments...
>
> > If you have ever installed any *ix system, you'd be darn well
>
> > aware that the thing is w i d e open. There is almost
>
> > no security there. It has to be added and maintained. Win32
>
> > systems are similar. Very trusting and friendly until they are
>
> > properly taken care of. Is *ix inherently more secure? no way.
>
> No holy war here either. But I could not resist the reply to this
> comment. Of course it depends on the administrator of the box, but it
> depends also how you install it. I have never installed a linux box with
> ftp or telnet by default(openssh). Because these boxes I setup are
> usually dns or web servers you can install them so that they run in a
> chrooted environments which tends to be a tad bit more secure. This is
> one reason I like nix over any win platform because I can install what I
> want and how I want it, which usually makes a nix box more secure than
> any win platform. So to me how I stated above nix is more secure, but of
> course you have to know what you are doing. You probably will say well
> this is not a base install. And my reply is well if you do a custom
> install which you can do right out of the box without recompiling the
> kernel or anything fancy nix will me more secure than win32 platforms
> out of the box. I would like to see a custom install on win32 instead of
> click here to continue.
>
> I challenge anyone to make a valid, non-ideological based
>
> > comparison of a base Win32 and a base Liux install. If Linux
>
> > were so damned secure in its current state, I woulnd't see IDS
>
> > logs filling up with folks scanning for obvious Linux vulns, now
>
> > would I? Bottom dollar is, without proper administration, both
>
> > Win32 and *ix suck big time. With proper care and feeding, they
>
> > can both become releatively secure.
>
> >
>
> You are seeing IDS logs filling up due to the fact that most script
> kiddies out there are learning nix and what vulnerabilities are
> associated with it. And from my years of experience and dealing with
> these individuals it is more of a challenge for them, like a notch in
> their belt if they compromise a nix box rather than a win32 platform.
> They will be readily accepted by their peers if this is accomplished and
> shunned away for saying hey I cracked a nt server. Due to the fact and
> the latest security survey (I can't remeber right off hand by whom) that
> show due to the recent influx of MCSE certified individuals that lack
> experience on securing these boxes that get broken into its not a
> challenge to them any more. It showed there were a very high number of
> individuals out there that did not even have the known IIS patch
> applied. I am not knocking MCSE individuals here because I myself am a
>
> MCSE+I we all have to start some where. But there are more individuals
>
> out there in the industry with NT boxes than there are with Unix boxes
> under their control.
>
> If you ask me this is some of the reason why you see so many entries in
> your log for nix vulnerabilities than you do for the win32 platform.
>
> -----Original Message-----
>
> From: W. Alan Robertson
>
> Sent: Thu 3/22/2001 10:23 AM
>
> To: Brian Kimsey-Hickman; [EMAIL PROTECTED]
>
> Cc:
>
> Subject: Re: Anyone tried setting up a Linux TFTP Server
>
> for Cisco?
>
> Rather than get into a Holy War about why Linux is
>
> better than Windows, I
>
> figured I'd just answer your question.
>
> in.tftpd doesn't constantly run like other processes,
>
> like a http server, as an
>
> example.
>
> in.tftpd is typically started as needed, and terminated
>
> when finished. The
>
> controlling process is inetd. The configuration file
>
> for inetd can be found at
>
> '/etc/inetd.conf'.
>
> Edit that file...
>
> Scroll down to a line that reads like this (the exact
>
> line varies by Linux
>
> distribution):
>
> #tftp dgram udp wait nobody
>
> /usr/sbin/tcpd
>
> /usr/sbin/in.tftpd /tftpboot
>
> The # means that this line is commented out. If you
>
> remove the hash mark,
>
> leaving:
>
> tftp dgram udp wait nobody
>
> /usr/sbin/tcpd
>
> /usr/sbin/in.tftpd /tftpboot
>
> you will have enabled the tftp service for the box. The "/tftpboot"
> reference
>
> refers to the tftp service home directory, so make
>
> certain that it exists. You
>
> can also move the location if you'd like. Just specify
>
> a different path, and
>
> ensure that it exists.
>
> Finally, you need to restart the inetd process, so that
>
> it will be aware of that
>
> fact that you want it to manage tftp services.
>
> Do a 'ps ax | grep inetd'. That will something like:
>
> yavin:/etc# ps ax | grep inet
>
> 252 ? S 0:00 /usr/sbin/inetd
>
> 369 ? SW 0:00 [rinetd]
>
> 7945 pts/1 S 0:00 grep inet
>
> yavin:/etc#
>
> To restart it, type this: 'kill -HUP [pid]'
>
> In my example, 252 is the pid (Process ID).
>
> I almost forgot... One thing you also need to check is
>
> the directory pemissions
>
> of /tftpboot...
>
> Make sure that the directory is World Readable, and
>
> World Writable. Tftp does
>
> no user authentication, so you have to give global
>
> read/write access to it's
>
> directory. Also, before sending a file up to the tftp server, you will
> need to
>
> 'touch filename'. Generally, the service will allow you
>
> to overwrite a file
>
> that exists, but it will not allow you to create a
>
> wholly new file. Silly,
>
> isn't it?
>
> Best of luck...
>
> Alan
>
> ----- Original Message -----
>
> From: "Brian Kimsey-Hickman" <[EMAIL PROTECTED]>
>
> To: <[EMAIL PROTECTED]>
>
> Sent: Thursday, March 22, 2001 8:17 AM
>
> Subject: Anyone tried setting up a Linux TFTP Server for Cisco?
>
> > I was wondering if anyone had tried to set up to Linux
>
> box as a TFTP server
>
> > for Cisco configurations and images. I have tried
>
> in.tftp but don't seem to
>
> > be having a lot of luck.
>
> >
>
> > Thanks,
>
> >
>
> > Brian
>
> >
>
> > _________________________________
>
> > FAQ, list archives, and subscription info:
>
> http://www.groupstudy.com/list/cisco.html
> <http://www.groupstudy.com/list/cisco.html>
>
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> _________________________________
>
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> <http://www.groupstudy.com/list/cisco.html>
>
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
>
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
