On Thu, 2003-02-13 at 12:01, Kent Borg wrote: > On Thu, Feb 13, 2003 at 11:58:58AM -0600, Dave Ihnat wrote: > > On Thu, Feb 13, 2003 at 10:02:54AM -0500, Kent Borg wrote: > > > On Thu, Feb 13, 2003 at 07:56:23AM -0600, Dave Ihnat wrote: > > > > We all urgently push you to implement a firewall...any firewall... > > > > > > No we don't (with or without smilies), I do not advise a firewall > > > unless you are trying to protect some MS Windows garbage and that is a > > > losing battle you are better off not trying to fight. > > > <<Rest of message elided>> > > > > With all due respect, not only is that a very misguided attitude, it's a > > dangerous one to promulgate. > > First, a point of order: if you are sincere about the "with all due > respect"-part, then don't suggest that I am a cracker. > > > Read what you said > > I wrote a short post describing how to make and keep a Red Hat system > secure. I glossed over some details, but I still think it was pretty > good, and damn specific, given how short it was.
My problem with the method you propose is that it requires you to be able to determine vulnerabilities before they happen.Say you are attending a Linux Expo, or some other event that takes you away from your machine(s) for the day. That morning a vulnerability is announced that has an exploit. Your machine(s) is(are) vulnerable until you update it. If it is a network exploitable vulnerability. Specific? Well, do you like to print, and run lpd? it's had problems in the past. > You assert that it won't work. OK, be specific. Reread what I > posted. Assume that such a RH 7.0 system has been on the internet, > maintained as I described, without a firewall, for the last two years. > Tell me how it got rooted during time. Be specific. It's maintainer was at work, and it was a home machine running the vulnerable LPRng and did not update the machine until they were a) aware of the problem, and b) able to update to a fixed version. For example: http://rhn.redhat.com/errata/RHSA-2002-089.html An example clipped from an incident report: -------------------------- Port 515 on our network was scanned from uiowa.edu over the weekend. Here's some information on the LPRng exploits attempted against several RedHat Linus 7.x hosts. The intruder attempts to create a file called /dev/whoa/reg. It looks like they intend for reg to open port 8282 with root privileges. They then edit xinetd.conf file and restart xinetd to open the port. Evidence of these changes was cleared from compromised hosts once the intruder installed his kit. A password protected guest account with a GID of 0 was created on one compromised host. The following files were also changed: du, find, ls, netstat, passwd, ping, psr, and su. ----------------- Running X-Windows on said system? Uh-oh, there's another potential problem (especially if xdm was enabled). Ascii-only email/web? Pine, Mutt (CAN-2002-0001) and lynx have had their problems w/security as well. Pam has had it's problems, which in at least one case allowed users to get another's access credentials. The problem with your method is that it does not "think like a cracker". It "thinks" like someone who believes they are faster and superior to the cracking ability. IMO, that is as bad as relying solely on a firewall. Security is not an item, it is a process and mindset. While it is true for all systems that there is a period of vulnerability between the finding/reporting of the vulnerability/exploit and the updating of the system, by not using a firewall, you pile more openings on top of ones that affect, for example, bind or mod_ssl. There are exploits that allow the remote attacker to get a non-root local access. Combine this with a local-root exploit and bam, You have a problem. IMO, this is as dangerous as "we have a firewall, who cares?". -- Bill Anderson RHCE #807302597505773 [EMAIL PROTECTED] -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
