On Monday, July 15, 2002, at 09:58 , Eric D. wrote: > on 15/7/02 21:25, Eagle at [EMAIL PROTECTED] wrote: >> consoles. But those breakins were on a Linux server machine (my OS X >> Cube is also a web/ssh server) that was not up-to-date on the latest >> fixes at the time. I imagine that, for most Mac OS X users, keeping up >> with System Updates will be good enough. > > I don't imagine there are too many exploits that can be perpetrated > against > a Mac OS X machine -- not only would the hacker have to stumble on just > the > right version of Apache, but they would also have to think quickly > enough to > compile their exploits for the PPC ;) ;) ;)
That would be true for an automated worm, but the possibility of gaining remote access through an Apache (or BIND, or sendmail, or whatever) exploit still exists. Even though the exact exploit might be different (it might not - I don't know with certainty), a buffer overflow is a buffer overflow. >> Nor do I, but with a Unix server, passwords aren't enough. You need >> secure communications channels (SSH), and you need to keep up with the >> latest patchlevels on your software. Recall the recent SSH and Apache >> exploits -- machines that have not been upgraded today are still >> vulnerable to exploitation. > > Someday I'll have to learn how these exploits function. Look fast, because they're often quickly fixed. Watch http://www.securityfocus.com, and subscribe to Bugtraq. >> You need more than a secure OS -- you need an encrypted filesystem to >> protect against physical access issues. >> >> For those worried about remote exploitation, the rules are few and >> simple: >> - run only the services you need, >> - keep up on the latest patchlevels for those servers, and >> - limit access to those services by IP address (tcp wrappers) whenever >> possible. > > If you run a server with known secure software, there's little reason > to run > a firewall. But, there's also the problem that a firewall still won't > keep > you from getting hacked. If you provide incoming access to your > computer the > only thing a firewall may/will do is record the person's IP. If the > hacker > is tricky, they'll also take the time to wipe the firewall's log & > you'll > never know who broke in ;) That's true, but what one of these el-cheapo "cable/dsl router/firewall" things will do is protect your entire network. I have anywhere from 1-10 machines online in my house, and I only have to worry about the security of the ones that are accessible from the outside. The Linux machine I spoke of earlier is not at my house - it is collocated and is just accessible as my OS X box at home. The difference is that I provide access on the OS X box to services (AppleShare, FTP, etc) that are not available outside, so any vulnerabilities to those services will not affect the ability of kiddies to access my OS X box. That's a nice bit of reassurance. In addition to what I said earlier ("the rules are few and simple") I'll add this in summary: paranoia is one thing (and is probably not necessary) -- but a reasonable set of precautions is another (and is a very good thing). Eagle -- G-List is sponsored by <http://lowendmac.com/> and... Small Dog Electronics http://www.smalldog.com | Refurbished Drives | -- We have Apple Refurbished Monitors in stock! | & CDRWs on Sale! | Support Low End Mac <http://lowendmac.com/lists/support.html> G-List list info: <http://lowendmac.com/lists/g-list.shtml> Send list messages to: <mailto:[EMAIL PROTECTED]> To unsubscribe, email: <mailto:[EMAIL PROTECTED]> For digest mode, email: <mailto:[EMAIL PROTECTED]> Subscription questions: <mailto:[EMAIL PROTECTED]> Archive: <http://www.mail-archive.com/g-list%40mail.maclaunch.com/> Using a Macintosh? Get free email and more at Applelinks! <http://www.applelinks.com>
