Re: Safety while network install.
On Nov 20, 3:20 pm, Sthu Deus wrote: > Good time of the day. > > I'm concerned on safety of install over network (the netinst) - what > techniques are used to protect the installed system during the very > process of installation? > a single machine connected to the internet: moving to cd /usr/local/bin LIKE ROOT open nano # nano write: # #!/bin/sh iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp --syn DROP ## control + o > write firewall name, for instance "firewall.sh" enter control + x give permission # chmod +x firewall.sh to do automaticaly # nano /etc/rc.local (write before "exit 0") /usr/local/bin/firewall.sh control + o enter control + x now: # reboot again in terminal: $ lsmod > see iptables working. Good Luck ! === > Or it includes some risk for the install and therefore media (kind of > disk) is a preferred installation method? > > Thanks for Your time. > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/4ec93549.879acc0a.43d1.c...@mx.google.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/5805c598-042f-4161-be9f-4b6bcd845...@k26g2000yqd.googlegroups.com
Re: Safety while network install.
Brian wrote: > Sthu Deus wrote: > > My pondering/suggestions here: > > > > 1. You agree that it is a good thing to be firewalled for the being > > installed system - so in case there is no firewall already for it, then > > it would be still good to have one in the install environment. Not the way you state it. I said that having a firewall *separate* from the machine you are installing upon adds an extra layer of security and is a good idea. It isn't required. It is typical of a lot of people today that they already operate behind one. Having one on the machine you are installing would not give you the same protection. > No firewall is necessary during an install from a netinst iso. There is > nothing listening for a connection. No listeners - no connections. Agreed. > And unless Debian provides a kernel which falls over at the mere > sniff of a ping there is no problem there either. I think it unlikely that the kernel used in the installer would have an exploitable vulnerability. Very unlikely. I am not worried about it. But in that strict academic legal setting of if there was a ping-of-death attack, such as has happened before, then having an external firewall is safer since it would protect even against that type of vulnerability. That previous attack wasn't "which falls over at the mere sniff of a ping" since it took a specifically crafted attack package. And the current kernels haven't been vulnerable to that old known attack for a long time. Still it's better with an external firewall since it would block the attack even if the kernel still had that problem. That doesn't say that it is bad without. It's not. But it only helps if the firewall is external. If it is internal to the local machine then it doesn't provide that extra layer of protection against a kernel bug. Since the kernel needs to supply both a bug and protection from it at the same time it is likely that the bug would win in that case. An internal firewall can't count as an extra layer of protection. Any firewall provided by the installer kernel at install time I think would be quite suspect as to useful effectiveness. > > 2. When the the system has its first reboot, and since then, it would > > be a good thing to have a all net incoming requests for service to be > > blocked by default They are blocked by default. Or rather by default nothing is there to listen to them. Don't believe me? Install a pristine system and then check. There isn't anything to attack here. But when I explicitly install a program that works on the network then *I* have installed it. I obviously want it running. There would be no reason to have installed it if I didn't want it installed. If I didn't want that then I wouldn't have installed it. Requiring packages to be installed and to be enabled as a separate step simply make installing them more difficult instead of more secure. For anyone who thinks a firewall provides complete protection I refer you to the only completely secure firewall solution that I know: http://www.ranum.com/security/computer_security/papers/a1-firewall/ > > for: a) there are now services listening (at least > > Debian likes to install exim, for example, but not limited to), b) > > novice users may have no idea on firewall configuration or linux usage > > at all, and therefore, making such important - I would say - default > > settings just would add more security features to the already secure > > name of Debian. > > There is very little need for a firewall on a single machine connected > to the internet at the best of times I think a firewall has value. It is a large umbrella that covers everything at a different layer of security. But there isn't anything magical about it. > but a default install has nothing listening for external > connections, so blocking by default doesn't achieve anything. It's > secure to begin with - a firewall doesn't make it more secure. I think we are in agreement that when nothing is listening then nothing is listening and there is no need for a firewall then. And if you install something such as sshd server which must listen to be useful then of course it is listening on that port and again no firewall is useful in that context. Bob signature.asc Description: Digital signature
Re: Safety while network install.
On Wednesday 23 November 2011 15:14:40 Curt wrote: > > For static you do something like this: > > > > iface eth0 inet static > > address 192.168.1.5 > > netmask 255.255.255.0 > > gateway 192.168.1.254 > > And then dhclient is no longer "called," the daemon won't run anymore, > or do I have to do something else to turn it off? That's all I do - but YMMV. Lisi -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20231551.55527.lisi.re...@gmail.com
Re: Safety while network install.
On Wed 23 Nov 2011 at 15:14:40 +, Curt wrote: > On 2011-11-23, Kelly Clowers wrote: > >> > > For static you do something like this: > > > > iface eth0 inet static > > address 192.168.1.5 > > netmask 255.255.255.0 > > gateway 192.168.1.254 > > And then dhclient is no longer "called," the daemon won't run anymore, > or do I have to do something else to turn it off? Only 'iface eth0 inet dhcp' starts dhclient. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2023153537.GF2873@desktop
Re: Safety while network install.
On Wed 23 Nov 2011 at 14:30:31 +, Curt wrote: > Thank you. Is that the default when you install cups, just out of > curiosity? It seems like there was a time when you had to do something > to insure that the daemon wouldn't allow network printing. It's the default. > What about this: > > https://www.isc.org/software/dhcp/advisories/cve-2011-0997 > > Relevant? I can't find the set_hostname () function in the dhclient-script > to implement the workaround. Fixed in all Debian packages. See the changelog.Debian for isc-dhcp-client. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2023153041.GE2873@desktop
Re: Safety while network install.
On 2011-11-23, Kelly Clowers wrote: >> >> I trust the server, I guess; it's my ISP, so I really have to trust >> them way above and beyond whatever dhclient can or cannot do. I could >> set up a static address for the interface (if I knew how--I do have a >> static address). Where does that go? In /etc/network/interfaces? > > Yes. > For DHCP you have something like this: > > auto eth0 > iface eth0 inet dhcp > > For static you do something like this: > > iface eth0 inet static > address 192.168.1.5 > netmask 255.255.255.0 > gateway 192.168.1.254 And then dhclient is no longer "called," the daemon won't run anymore, or do I have to do something else to turn it off? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnjcq3cq.3ck.cu...@einstein.electron.org
Re: Safety while network install.
On Wed, Nov 23, 2011 at 06:30, Curt wrote: > > I trust the server, I guess; it's my ISP, so I really have to trust > them way above and beyond whatever dhclient can or cannot do. I could > set up a static address for the interface (if I knew how--I do have a > static address). Where does that go? In /etc/network/interfaces? Yes. For DHCP you have something like this: auto eth0 iface eth0 inet dhcp For static you do something like this: iface eth0 inet static address 192.168.1.5 netmask 255.255.255.0 gateway 192.168.1.254 (use "ifconfig" and "ip route" to get your numbers if needed) > Then there's also the question of the dns servers, which can change > from time to time (or maybe they rarely do, I dunno). It's pretty rare, really. The only time I have seen a problem is if the network undergoes a major change, e.g. one ISP acquires another. Cheers, Kelly Clowers -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAFoWM=_fg5hhuovphdns-s2e8w0jwa2ezto_pou4p8aiupt...@mail.gmail.com
Re: Safety while network install.
On 2011-11-22, Osamu Aoki wrote: > > Anyway, read good source. > http://www.debian.org/doc/user-manuals#securing > http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html Thank you for the links. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnjcq0rb.38d.cu...@einstein.electron.org
Re: Safety while network install.
On 2011-11-23, Brian wrote: > > You don't want to run a firewall because it will be of no benefit to > you. The CUPS daemon will only accept print jobs from the machine the > printer is connected to. dhclient is what its name says - a client. It Thank you. Is that the default when you install cups, just out of curiosity? It seems like there was a time when you had to do something to insure that the daemon wouldn't allow network printing. > doesn't listen for any connections, so no need to do anything about it - > unless you don't trust the server it makes requests to. It won't be used > if you set up a static address for the interface. I trust the server, I guess; it's my ISP, so I really have to trust them way above and beyond whatever dhclient can or cannot do. I could set up a static address for the interface (if I knew how--I do have a static address). Where does that go? In /etc/network/interfaces? Then there's also the question of the dns servers, which can change from time to time (or maybe they rarely do, I dunno). What about this: https://www.isc.org/software/dhcp/advisories/cve-2011-0997 Relevant? I can't find the set_hostname () function in the dhclient-script to implement the workaround. Anyway, thank-you. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnjcq0q1.38d.cu...@einstein.electron.org
Re: Safety while network install.
On Wed 23 Nov 2011 at 11:57:57 +, Curt wrote: > einstein:/home/curty# lsof -i > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > cupsd1778 root5u IPv6 43230 0t0 TCP localhost:ipp (LISTEN) > cupsd1778 root7u IPv4 43231 0t0 TCP localhost:ipp (LISTEN) > dhclient 1814 root6u IPv4 6366 0t0 UDP *:bootpc > . > > I don't want to run a firewall because I don't what I'm doing and am too > ignorant to set up cupsd and dhclient securely. I think I'm running cups > securely. If I should do something about dhclient (udp, not tcp) please > be so kind as to tell me what. You don't want to run a firewall because it will be of no benefit to you. The CUPS daemon will only accept print jobs from the machine the printer is connected to. dhclient is what its name says - a client. It doesn't listen for any connections, so no need to do anything about it - unless you don't trust the server it makes requests to. It won't be used if you set up a static address for the interface. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2023123411.GC2873@desktop
Re: Safety while network install.
On 2011-11-22, Sthu Deus wrote: > > My opinion is this: to disable any queries to Your host by iptables > and/or xinit from outside world and then purge the packages You do not > need. > This is a stand alone machine that's not supposed to be offering any services whatsoever to the outside world. I've gotten rid of avahi and portmap; what's left is cups (listening uniquely on the loopback interface, at least I hope) and dhclient. einstein:/home/curty# lsof -i COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME cupsd1778 root5u IPv6 43230 0t0 TCP localhost:ipp (LISTEN) cupsd1778 root7u IPv4 43231 0t0 TCP localhost:ipp (LISTEN) dhclient 1814 root6u IPv4 6366 0t0 UDP *:bootpc . I don't want to run a firewall because I don't what I'm doing and am too ignorant to set up cupsd and dhclient securely. I think I'm running cups securely. If I should do something about dhclient (udp, not tcp) please be so kind as to tell me what. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnjcpns0.33c.cu...@einstein.electron.org
Re: Safety while network install.
On Wed 23 Nov 2011 at 13:50:53 +0700, Sthu Deus wrote: > My pondering/suggestions here: > > 1. You agree that it is a good thing to be firewalled for the being > installed system - so in case there is no firewall already for it, then > it would be still good to have one in the install environment. No firewall is necessary during an install from a netinst iso. There is nothing listening for a connection. No listeners - no connections. And unless Debian provides a kernel which falls over at the mere sniff of a ping there is no problem there either. > 2. When the the system has its first reboot, and since then, it would > be a good thing to have a all net incoming requests for service to be > blocked by default - for: a) there are now services listening (at least > Debian likes to install exim, for example, but not limited to), b) > novice users may have no idea on firewall configuration or linux usage > at all, and therefore, making such important - I would say - default > settings just would add more security features to the already secure > name of Debian. There is very little need for a firewall on a single machine connected to the internet at the best of times but a default install has nothing listening for external connections, so blocking by default doesn't achieve anything. It's secure to begin with - a firewall doesn't make it more secure. Exim does listen, but only for local requests. It will not accept connections from the internet by default. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2023111601.GA2873@desktop
Re: Safety while network install.
Big thanks, Bob, for Your extended answer: >The only external remotely accessible service available in the >installer kernel are ICMP services such as ping. AFAIK. You can ping >the system. Ping is a very useful diagnostic tool and is not >disabled. The network code responding to ping is in the kernel. In >times past there have been denial of service exploits by sending >crafted ping packets that exploited a vulnerability. Years ago it was >possible to crash a system remotely by sending a specially crafted >ping-of-death packet. The previous exploits were denial of service >attacks by crashing the kernel. But if the installer crashed you >would know it. You would be unable to complete the installation and >would not have a security vulnerability later. > >Those old vulnerabilities have since been fixed and are no longer a >problem. But that is the type of attack that we still need to worry >about on the system when installing because the kernel used is the one >included with the installer image and it should be new enough to avoid >any known problems. Also it can be asked for pinging options such as which address can ping for example - to reduce the possibility of attack in the future kernel releases. >Installing on a private network behind a firewall is a very good idea. >I dare to say that most users operate from a private network these >days. In the old days most universities and corporations had public >IPv4 space. But IPv4 space is used up now and in short supply. These >days most networks operate behind a NAT (network address translation) >box that connects them to the larger Internet that uses one address >externally but different addresses internally. To be clear, boxes >such as a Linksys WRT54GL and similar from Netgear, D-Link, others. >Boxes that connect to a cable modem or DSL and then provide a private >RFC1918 network space in the 10.* or 192.168.* network behind them. >Those boxes provide a firewall preventing incoming connections from >the hostile Internet. Those firewall-router boxes prevent incoming >ping and other packets from connecting to devices on the local private >network. The NAT firewall-router box protects the local private >network from external attack. This is really a good thing as long as the routers have firewall - some can buy it just for single IP sharing (just like hubs) rather than for any protective stuff. So though people become more "routed" (using routers more and more) it is not necessarily means they stay protective just because of that - IMO. >Installing a system on such a private network is a good idea because >in that case even if the installer's kernel were vulnerable to a >remote network exploit then that exploit could not be exploited >because the firewall between the local private network and the hostile >Internet would prevent the attack vector. The installer would run and >install to completion. The installer will install the latest security >upgrades available onto the target system. The installer will reboot >into the target system. After the reboot the installed system will be >running the latest available kernel. There won't have been a way for >a remote attacker to crack into the system. My pondering/suggestions here: 1. You agree that it is a good thing to be firewalled for the being installed system - so in case there is no firewall already for it, then it would be still good to have one in the install environment. 2. When the the system has its first reboot, and since then, it would be a good thing to have a all net incoming requests for service to be blocked by default - for: a) there are now services listening (at least Debian likes to install exim, for example, but not limited to), b) novice users may have no idea on firewall configuration or linux usage at all, and therefore, making such important - I would say - default settings just would add more security features to the already secure name of Debian. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ecc97d1.82c0cc0a.10a5.2...@mx.google.com
Re: Safety while network install.
Sthu Deus wrote: > Thank You for Your time and answer, Bob. Beside other things You wrote: > > > Plus most people install on a private network behind a firewall from > > the Internet. This protects them from network attacks from the > > Internet. As long as your local private network is not compromised > > Can You explain, What a great idea behind firewall absence for the > limited install environment - accepting only related packages to the > host (the ones the host asked for)? I am sorry but I am unable to understand what you are asking. Let me say a few more words and perhaps be lucky to answer your question anyway. The installer system is a very small system. It uses a kernel to provide for its own use. It starts up a network for use by the installer. Nothing else uses the network. No ports are opened for listening. No ports are available for connecting. If you scan the system you will find that all ports are closed. Because there are no ports open and no programs are running there isn't a need for a firewall running on the installer kernel. All connections will be closed even without a local firewall layer in place. Therefore it is unneeded. Since the system is very small it is easy to audit it and verify that nothing has changed that would open up a port. The only external remotely accessible service available in the installer kernel are ICMP services such as ping. AFAIK. You can ping the system. Ping is a very useful diagnostic tool and is not disabled. The network code responding to ping is in the kernel. In times past there have been denial of service exploits by sending crafted ping packets that exploited a vulnerability. Years ago it was possible to crash a system remotely by sending a specially crafted ping-of-death packet. The previous exploits were denial of service attacks by crashing the kernel. But if the installer crashed you would know it. You would be unable to complete the installation and would not have a security vulnerability later. Those old vulnerabilities have since been fixed and are no longer a problem. But that is the type of attack that we still need to worry about on the system when installing because the kernel used is the one included with the installer image and it should be new enough to avoid any known problems. Installing on a private network behind a firewall is a very good idea. I dare to say that most users operate from a private network these days. In the old days most universities and corporations had public IPv4 space. But IPv4 space is used up now and in short supply. These days most networks operate behind a NAT (network address translation) box that connects them to the larger Internet that uses one address externally but different addresses internally. To be clear, boxes such as a Linksys WRT54GL and similar from Netgear, D-Link, others. Boxes that connect to a cable modem or DSL and then provide a private RFC1918 network space in the 10.* or 192.168.* network behind them. Those boxes provide a firewall preventing incoming connections from the hostile Internet. Those firewall-router boxes prevent incoming ping and other packets from connecting to devices on the local private network. The NAT firewall-router box protects the local private network from external attack. Installing a system on such a private network is a good idea because in that case even if the installer's kernel were vulnerable to a remote network exploit then that exploit could not be exploited because the firewall between the local private network and the hostile Internet would prevent the attack vector. The installer would run and install to completion. The installer will install the latest security upgrades available onto the target system. The installer will reboot into the target system. After the reboot the installed system will be running the latest available kernel. There won't have been a way for a remote attacker to crack into the system. In a local private network the only place a network attack could come from would be from the local private network. In other words, the attacker would need to be someone very close to you, on your same network, and not someone across the world on the Internet. If this is your home router then they would need to be on your home network. If you are in a coffee shop or airport or other public network space then they would need to be in that same network space with you. Installing from a coffee shop shared open network will be open to attacks from other people on the same coffee shop network. A coffee shop or airport network could be much bigger than you know and there may be a lot of people using it that you don't know. Better to install from your own home network behind your own home NAT firewall-router box so that you know it doesn't have hostile people also on it. Hope that helps, Bob signature.asc Description: Digital signature
Re: Safety while network install.
On Mon, Nov 21, 2011 at 04:34:26PM +, Curt wrote: > On 2011-11-21, Osamu Aoki wrote: > > > > But seriously, Debian is configured as a quite secure system at any time > > unless you make stupid configuration yourself. So it is quite safe. > > > > Would you be so kind as to explain to me what ports/services are > open and listening on a default install of Debian Squeeze (if any) and if > there > are any security implications for the novice user or "hardening" to be > performed on a default install (in relation to listening daemons)? Anyway, read good source. http://www.debian.org/doc/user-manuals#securing http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html > I got rid of avahi and another daemon that opened listening ports because I > didn't know what those services were exactly, what purpose they served, > or whether they presented any kind of danger to my security. (I think > the other service was portmap, now that I come to think of it). http://en.wikipedia.org/wiki/Avahi_(software) http://www.debian.org/doc/manuals/debian-reference/ch05.en.html#_the_hostname_resolution It gives you multicast DNS/DNS-SD service discovery. hostname IP resolution on LAN without DNS. Just do not run if you do not need it. task-desktop pulled in via recommends to avahi-daemon so you can remove it easily. > I remember in the past the xserver would listen by default (at least on > some linuxes), but now the default apparently is not to listen, which is > a good thing, though it took a while to get there. Anyway, checking it yourself for your system is good idea than asking such thing in general sense. Osamu -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2022181612.ga19...@goofy.lan
Re: Safety while network install.
Curt wrote: >Would you be so kind as to explain to me what ports/services are >open and listening on a default install of Debian Squeeze (if any) and >if there are any security implications for the novice user or >"hardening" to be performed on a default install (in relation to >listening daemons)? > >I got rid of avahi and another daemon that opened listening ports >because I didn't know what those services were exactly, what purpose >they served, or whether they presented any kind of danger to my >security. (I think the other service was portmap, now that I come to >think of it). My opinion is this: to disable any queries to Your host by iptables and/or xinit from outside world and then purge the packages You do not need. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ecbe6b6.d278cc0a.7c85.f...@mx.google.com
Re: Safety while network install.
Thank You for Your time and answer, Bob. Beside other things You wrote: >Plus most people install on a private network behind a firewall from >the Internet. This protects them from network attacks from the >Internet. As long as your local private network is not compromised Can You explain, What a great idea behind firewall absence for the limited install environment - accepting only related packages to the host (the ones the host asked for)? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ecbe6ae.d278cc0a.7c85.f...@mx.google.com
Re: Safety while network install.
On Mon, 21 Nov 2011 09:14:54 +0200, Andrei Popescu wrote: > On Du, 20 nov 11, 18:10:34, Camaleón wrote: >> >> I've never faced a security problem when installing over the network > > How can you tell? ;) gOOd catCh. (Mmm... what happens with my keyboard? Seems like someone is typing on behalf me :-P) >> (Internet) and take no additional countermeasures but ensuring the net >> ISO checksum for the image I have downloaded is okay. >> >> A compromised mirror can hit at anytime not just when installing. > > A compromised mirror would be the least of my worries (due to > secure-apt). There have been two intrusions that are still fresh on my mind (IIRC, one was at Fedora infrastructure and the last one to the kernel servers) and I have an extra of paranoid-thinking these days... > In theory it could be possible to compromise the system during the > install, but I think the risk is quite low. Yup, I also think so. > It would probably have to be a targeted attack during a narrow window of > a non-standard system not listening to any ports (unless you > specifically activated ssh, but then you should know what you're doing). Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.11.21.18.00...@gmail.com
Re: Safety while network install.
On 2011-11-21, Osamu Aoki wrote: > > But seriously, Debian is configured as a quite secure system at any time > unless you make stupid configuration yourself. So it is quite safe. > Would you be so kind as to explain to me what ports/services are open and listening on a default install of Debian Squeeze (if any) and if there are any security implications for the novice user or "hardening" to be performed on a default install (in relation to listening daemons)? I got rid of avahi and another daemon that opened listening ports because I didn't know what those services were exactly, what purpose they served, or whether they presented any kind of danger to my security. (I think the other service was portmap, now that I come to think of it). I remember in the past the xserver would listen by default (at least on some linuxes), but now the default apparently is not to listen, which is a good thing, though it took a while to get there. Thanks. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnjckvai.3u6.cu...@einstein.electron.org
Re: Safety while network install.
Hi, On Mon, Nov 21, 2011 at 12:13:41AM +0700, Sthu Deus wrote: > Good time of the day. > > > I'm concerned on safety of install over network (the netinst) - what > techniques are used to protect the installed system during the very > process of installation? instalation data is transmitted via http. But its data integrity is checked by GPG key and hush values. > Or it includes some risk for the install and therefore media (kind of > disk) is a preferred installation method? Oh, practically the same. > Thanks for Your time. The only extra risk you expose your system via your network installation is possibility of attack via network to the system. If you download a CD image, you are exposing a PC which downloads image but not the PC installing Debian. But seriously, Debian is configured as a quite secure system at any time unless you make stupid configuration yourself. So it is quite safe. Osamu > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/4ec93549.879acc0a.43d1.c...@mx.google.com -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/2021135226.ga16...@goofy.lan
Re: Safety while network install.
Sthu Deus wrote: > Things I consider are these (during the installation): > . I have working connection Yes. But the simple presence of a network is not a security vulnerability. > . I have at least working kernel and later diver services that are > configured and started during the install Those are of the installer environment. The installer environment is clean when it starts. Again the presence of a running kernel is not a security vulnerability. > . At the same time no firewall rules are applied at the working > (starting to work) system (before it is going to be rebooted - that is > also is waited for the user attention - does not reboot itself). This may sound surprising but not having a firewall in place is also not a security vulnerability. It is a good additional safety net for a general purpose desktop. It is a good recommendation. But not having one on a unix-like system is not a security vulnerability by itself. I think I will go so far as to guess that most servers on the net do not run any firewall. Because they also don't run any extra programs and so don't need it. Unless a program with a vulnerability is listening there isn't anything to attack. For a crack to be successful other things would have to happen at the same time such as the presence of a program listening to the network AND that program having a security vulnerability. Since the installer is a minimum system it does not start up any extra programs. Since none are listening to the network there isn't an attack vector for them to be cracked. The strongest attacks would probably be if the installer used a kernel that included a known remote network exploitable security vulnerability. That isn't likely if you use a recent install image. But if there was a remote vulnerability then that vulnerability would need to be exploited in the installer environment in such a way that it was installed in the target environment. It isn't a normal situation and would need to be attacked specifically for the installer environment. Plus the normal thing for the installer to do is to DHCP an address. Therefore the IP address of the system would need to be found during the installation and attacked. That again makes this less likely. Not impossible if an attacker was constantly scanning every address. But scanning every address is a huge amount of effort and should be detected. The likelihood of all of those things happening during the small window of installation time is very unlikely. Plus most people install on a private network behind a firewall from the Internet. This protects them from network attacks from the Internet. As long as your local private network is not compromised then you will be safe even if the installer kernel contained a known remotely exploitable network security vulnerability. Because you would need an attacker to attack you from your own network. Breaking that chain prevents the attack vector. > That's what is of interest. Hopefully this sets your mind at ease. Bob signature.asc Description: Digital signature
Re: Safety while network install.
On Du, 20 nov 11, 18:10:34, Camaleón wrote: > > I've never faced a security problem when installing over the network How can you tell? ;) > (Internet) and take no additional countermeasures but ensuring the net > ISO checksum for the image I have downloaded is okay. > > A compromised mirror can hit at anytime not just when installing. A compromised mirror would be the least of my worries (due to secure-apt). In theory it could be possible to compromise the system during the install, but I think the risk is quite low. It would probably have to be a targeted attack during a narrow window of a non-standard system not listening to any ports (unless you specifically activated ssh, but then you should know what you're doing). Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: Safety while network install.
Thank You for Your time and answer, Camaleón: >> I'm concerned on safety of install over network (the netinst) - what >> techniques are used to protect the installed system during the very >> process of installation? > >System is still not installed so what are you afraid of? :-? > >> Or it includes some risk for the install and therefore media (kind of >> disk) is a preferred installation method? > >I've never faced a security problem when installing over the network >(Internet) and take no additional countermeasures but ensuring the net >ISO checksum for the image I have downloaded is okay. > >A compromised mirror can hit at anytime not just when installing. Things I consider are these (during the installation): . I have working connection . I have at least working kernel and later diver services that are configured and started during the install . At the same time no firewall rules are applied at the working (starting to work) system (before it is going to be rebooted - that is also is waited for the user attention - does not reboot itself). That's what is of interest. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ec9ee83.844ccc0a.7736.e...@mx.google.com
Re: Safety while network install.
2011/11/20 Sthu Deus : > Good time of the day. > > > I'm concerned on safety of install over network (the netinst) - what > techniques are used to protect the installed system during the very > process of installation? > > Or it includes some risk for the install and therefore media (kind of > disk) is a preferred installation method? > > > Thanks for Your time. > Theoretically there *is* a security risk during a network installation, as stated in Securing Debian Manual [1]. However, if I were you, I wouldn't mind too much, since IMHO the risk is really low. If you are really concerned over the problem (or you are paranoid :P), you can set up a firewall [2]. If you are particularly demanding over security, one of the best reference for Debian is Securing Debian. Cheers, Lorenzo [1] http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html#s3.3 [2] http://www.debian.org/doc/manuals/securing-debian-howto/ap-fw-security-update.en.html -- Nothing is interesting if you're not interested. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cabqumk8zcs8xrvtvaft7mpc4p3ru9isai8hho5pryb4z_cz...@mail.gmail.com
Re: Safety while network install.
On Mon, 21 Nov 2011 00:13:41 +0700, Sthu Deus wrote: > I'm concerned on safety of install over network (the netinst) - what > techniques are used to protect the installed system during the very > process of installation? System is still not installed so what are you afraid of? :-? > Or it includes some risk for the install and therefore media (kind of > disk) is a preferred installation method? I've never faced a security problem when installing over the network (Internet) and take no additional countermeasures but ensuring the net ISO checksum for the image I have downloaded is okay. A compromised mirror can hit at anytime not just when installing. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.11.20.18.10...@gmail.com
