I would agree that there is something to be said for learning to batten down your linux boxen. However, keeping things behind a firewall is just good practice. Yes, it may give one a false sense of security, but it also gives one a safe place to learn and grow; i.e. behind the firewall. With a firewall, you can limit the ports available from the outside straight away. True you can do that with a Linux box from the outset, but there may be things you want to do in the meantime that require those services. I think in general, having a firewall in place is always a plus and having more of them limits the number of hacked boxes and launching pads for other exploits. No it's not a cure-all, as so many have pointed out. But I'd still recommend everyone having one. <<JAV>> > > On Thu, 2003-02-13 at 15:18, Bill Anderson wrote: > > On Thu, 2003-02-13 at 12:01, Kent Borg wrote: > > > On Thu, Feb 13, 2003 at 11:58:58AM -0600, Dave Ihnat wrote: > > > > On Thu, Feb 13, 2003 at 10:02:54AM -0500, Kent Borg wrote: > > > > > On Thu, Feb 13, 2003 at 07:56:23AM -0600, Dave Ihnat wrote: > > > > > > We all urgently push you to implement a firewall...any firewall... > > > > > > > > > > No we don't (with or without smilies), I do not advise a firewall > > > > > unless you are trying to protect some MS Windows garbage and that is a > > > > > losing battle you are better off not trying to fight. > > > > > <<Rest of message elided>> > > > > > > > > With all due respect, not only is that a very misguided attitude, it's a > > > > dangerous one to promulgate. > > > > > > First, a point of order: if you are sincere about the "with all due > > > respect"-part, then don't suggest that I am a cracker. > > > > > > > Read what you said > > > > > > I wrote a short post describing how to make and keep a Red Hat system > > > secure. I glossed over some details, but I still think it was pretty > > > good, and damn specific, given how short it was. > > > > My problem with the method you propose is that it requires you to be > > able to determine vulnerabilities before they happen.Say you are > > attending a Linux Expo, or some other event that takes you away from > > your machine(s) for the day. That morning a vulnerability is announced > > that has an exploit. Your machine(s) is(are) vulnerable until you update > > it. If it is a network exploitable vulnerability. > > > > Specific? Well, do you like to print, and run lpd? it's had problems in > > the past. > > > > > > > You assert that it won't work. OK, be specific. Reread what I > > > posted. Assume that such a RH 7.0 system has been on the internet, > > > maintained as I described, without a firewall, for the last two years. > > > Tell me how it got rooted during time. Be specific. > > > > It's maintainer was at work, and it was a home machine running the > > vulnerable LPRng and did not update the machine until they were a) aware > > of the problem, and b) able to update to a fixed version. For example: > > http://rhn.redhat.com/errata/RHSA-2002-089.html > > > > > > An example clipped from an incident report: > > -------------------------- > > Port 515 on our network was scanned from uiowa.edu over the weekend. > > Here's some information on the LPRng exploits attempted against several > > RedHat Linus 7.x hosts. The intruder attempts to create a file called > > /dev/whoa/reg. It looks like they intend for reg to open port 8282 with > > root privileges. They then edit xinetd.conf file and restart xinetd to > > open the port. Evidence of these changes was cleared from compromised > > hosts once the intruder installed his kit. A password protected guest > > account with a GID of 0 was created on one compromised host. The > > following files were also changed: du, find, ls, netstat, passwd, ping, > > psr, and su. > > ----------------- > > > > Running X-Windows on said system? Uh-oh, there's another potential > > problem (especially if xdm was enabled). > > > > Ascii-only email/web? Pine, Mutt (CAN-2002-0001) and lynx have had their > > problems w/security as well. Pam has had it's problems, which in at > > least one case allowed users to get another's access credentials. > > > > The problem with your method is that it does not "think like a cracker". > > It "thinks" like someone who believes they are faster and superior to > > the cracking ability. IMO, that is as bad as relying solely on a > > firewall. Security is not an item, it is a process and mindset. > > > > While it is true for all systems that there is a period of vulnerability > > between the finding/reporting of the vulnerability/exploit and the > > updating of the system, by not using a firewall, you pile more openings > > on top of ones that affect, for example, bind or mod_ssl. There are > > exploits that allow the remote attacker to get a non-root local access. > > Combine this with a local-root exploit and bam, You have a problem. > > > > IMO, this is as dangerous as "we have a firewall, who cares?". > > > > -- > > Bill Anderson > > RHCE #807302597505773 > > [EMAIL PROTECTED] > > > > > > > > > > > > -- > > redhat-list mailing list > > unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe > > https://listman.redhat.com/mailman/listinfo/redhat-list >
-- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
