comp.os.linux.security FAQ 46
$kr1p7_k177y wrote to us regarding Daniel Swan's release of the comp.os.linux.security FAQ. It's what you'd imagine, but with the growth lately, this should be helpful tool. There's also an interview with him that sheds more light on the reasons behind the FAQ.
Re:Server concern (Score:2)
It's also easy to further lock down - it's straightforward to block any TCP or UDP port or even protocol you choose (without additional software).
Also, Zone Alarm is widely recognised as a kick ass personal firewall (though I'd always prefer to set up my own cheap box running BSD, and use it to block adverts and trojans also. Get it doing DNS caching etc, also - every little helps when you're restricted to modem like me).
I realise you're just trolling, but I feel that I have to at least try to counteract your FUD.
Suggested FAQ (Score:3)
A: Install BSD.
Re:Server concern (Score:2)
The cure of the ills of Democracy is more Democracy.
Re:Looks a good start (Score:2)
I'd offer to write the section myself, but beyond saying ``It appears to offer a finer granularity over file & executable permissions than UNIX's traditional xrw, the documentation included with the package appears to be fairly comprehensive, & it comes enabled by default in the RedHat distribution."
Give me a few months with PAM, & I may be able to delete the qualifiers.
Geoff
Re:Looks a good start (Score:2)
Well, having only the last 5-10 days to read the documentation, I was left with the impression that it could be used quite nicely to implement ACL.
And the point of my original post was that I'm not qualified to add more the FAQ about PAM than to nicely ask the FAQ maintainer to add a section about it.
Geoff
Re:The term `engineers' is misused (Score:2)
A couple of points... (Score:3)
First, your firewall should always be initialized before initializing the network interface, not after... initializing it after your network comes up means that there is a period (however small) that your machine is vulnerable (or, more vulnerable than it could be
Second, blocking all inbound pings can (potentially) cause problems with things such as DHCP.. (most DHCP servers attempt to ping an address before they issue it, to determine if it's in use or not..) if the DHCP server's lease database becomes corrupt/invalid (because of a network/hardware failure, for example), it could give your IP address to someone else, because your machine doesn't answer the ping..
Third, he misspelled Kurt Seifried's name (I think that Seigfreid is a magician from Vegas
Other than that, a pretty good start..
Re:It misses the real FAQ's... (Score:1)
These are "Frequently Asked Questions" about Linux security and you would expect that the FAQ would answer these. Yes there are good questions answered in the FAQ but you also want to answer the stupid ones too, so you are not answering them in the news group.
Steven Rostedt
Re:It misses the real FAQ's... (Score:1)
Ok, the "what is Open Linux bsdnix" thing would go into the "funny" catergory, and has nothing to do with Linux security. But the following...
questions, are more legit, and have been commonly asked by newbies. The number of times I get someone calling me up and asking me why they can't log in as root is amazing. I would also add that not ever loging in as root (except for system admin stuff) should be stated in the FAQ.
Steven Rostedt
Re:best not of? (Score:1)
Are there viruses for Linux? (Score:2)
Re:It misses the real FAQ's... (Score:1)
Don't trust the government: (Score:1)
That's the spirit
Re:Looks a good start (Score:1)
PAM has NOTHING to do with xrw style permissions, this is somting else, called ACLs (Access Control Lists).
PAM authenticates users in a flexable manner, and allows much more fine grained control than the traditional
Re:Looks a good start (Score:1)
I agreee, it should be in the FAQ.
The term `hackers' is misused (Score:3)
Surely the Open Source world knows of this distinction, and this could be reflected in the FAQ?
Some responces: (Score:2)
*) Nobody is a generic dummy account on most UNIX systems. Its purpose is to allow you to run various daemons under the lowest priviledges possible (that of a user which can't login and doesn't own any files). A better practice is to create on user account per daemon, and have it own only the files it requires to write to.
*) -- MARK -- is a generic placeholder put there every n amount of time (the default is 20 minutes.. man syslogd for more information).
*) DENY and REJECT act slightly differently. If you are going to utterly blackhole a machine, or simply want to eat packets coming in, DENY is the option you want. REJECT simply sends back a connection refused packet (for TCP, UDP and other protocols have slighty different packets). If you're going to be filtering TCP ports, use REJECT -- DENY will show up as 'filtered' on nmap and any other quality scanner which notes the lack of a reply packet (despite the host being up).
*) OpenBSD [openbsd.org] is an audited branch of the BSD family tree. This code can trace its lineage back to the original UNIX code. For many people, it's a great replacement for Linux on their firewalls because it's simple to setup, and secure out of the box. If you require SMP, or are going to be doing things like high volume web traffic, you may want to review the performance of it vs. Linux, or combine them via firewall + proxy network setup.
If you have any other questions, head to #kuro5hin on slashnet (or irc.kuro5hin.org if you don't know what slashnet is
--
Not secure? Attackers use your box as homebase (Score:1)
By the way, "bent-up security 'focus'"...
What your fingers are going to fall off typing a login/password pair?
Re:Server concern (Score:1)
What took them so long? There's no bloody difference between filling out a form and commenting lines in inetd.conf as well as firewall config files.
Re:Server concern (Score:3)
Isn't this more of a server concern? I mean, even if my system was "compromised" (the official-sounding wording in the FAQ) why would I truly care? There is nothing on my system that denotes anything that would need to be truly secure (just some personal writing), and if things were deleted I keep regular backups. Privacy is not a concern (I keep no credit card or checkbook numbers on my box).
Most crackers probably aren't interested at all in your private stuff, except perhaps your ISP data (login, password) so they can use your account to get on the net. The thing crackers are interested in is your box itself as a base for further attacks. A cracker with root access can easily manipulate your log files, so when an attack is traced back to your box, you have no proof that it wasn't you who broke in that government machine and downloaded top secret information...
All-in-all, would I even need security if there wasn't the internet? If the machine was just sitting in my room and the only thing that could "attack it" is a 12-year old brother with a misladen hockey stick? Probably not. Sometimes I think this whole bent-up security "focus" of computer hackers comes from their own inherent distrust and annoyance psychologically with the rest of the world.
If you have no net connection and no private data on the machine, security would't be much of an issue. But with an internet connection security simply has to be considered. If you live in a peaceful neighborhood with none or just a few break-ins a year, you probably would't care too much for a state-of-the-art alarm system. Now consider that some unknown guy from somewhere far away develops the Burgle-O-Matic(tm) which can ransack 1000 homes per minute, is operated from a safe haven outside your reach and is available for free to anyone who manages to find it. It also ruins your door even if it can't break in, and you can expect it to come around every other day. Would you just buy a wagonload of new doors every month, or would you rather install a Break-O-Burgle (Guaranteed To Stop Any Brand Of Burgle-O-Matic(tm) At Least Ten Yards Before Your Door)(tm)?
--
Re:I didn't know Linux could do that! (Score:1)
I didn't know Linux could do that! (Score:2)
"There seems to be a widespread, but fellatious, belief that denying incoming pings will render your host invisible to the outside world."
Do you need special hardware for that belief?
Start time of your firewall (Score:1)
In environment that uses dhcp this is not easily done if you dont know what you are doing. First, when the firewall script starts, how do you know what your ip address is and thus, how do you know what kind of rules you wish to set if you are using ip based blocking ( not really sure if one can block packets from certain eth-adapter not just the ip address ). In such case, user has two possibilities.
(btw, im using the unsecure way, im not *that* paranoid)
Also, the faq titled one of te windows ssh clients wrong. Its Tera Term not Terra Term ;) Anyway, it is *superb* vt emulator for windows. Wouldnt want to live without it + its free and comes with the source. (ssh comes as a plugin and im not familiar if it comes with source too)
--
Why isn't this stored at www.faqs.org? (Score:1)
I know why. It's because the author hasn't bothered to format his FAQ according to the standard, nor has he bothered to get it approved for posting to news.answers et al.
This link [faqs.org] tells you what you need to know to know to get a Usenet FAQ document posted to news.answers [news.answers].
-Gerard
Re:Server concern (Score:1)
Ignoring the rest of your troll post (and I hope you're trolling...if not your ego needs to be wacked with a reality stick) you brought up a common misconception
There are no processes running as servers because it's a default Win2K Professional box.Like its predecessor, Win2kPro installs with peer-to-peer networking (read shares) enabled by default -> the Server service is set to automatic startup. RPC and Remote Registry service are also ON by default. If they're listening, they're hackable
Re:A couple of points... (Score:1)
Second, blocking all inbound pings can (potentially) cause problems with things such as DHCP.. (most DHCP servers attempt to ping an address before they issue it, to determine if it's in use or not..) if the DHCP server's lease database becomes corrupt/invalid (because of a network/hardware failure, for example), it could give your IP address to someone else, because your machine doesn't answer the ping..
My ISP yelled at me the other day for this very reason. I had to update the rule set to answer the pings from my ISP
Are there other releases (Score:1)
Looks a good start (Score:2)
(I'm a relatively new Linux user and probably speak from a largely Windows background).
This FAQ looks a very good start....Writing a FAQ is extremely time consuming (I know, I've written the PGP DH vs PGP RSA FAQ [clara.net]) and this FAQ is a good foundation to build upon. It largely follows the content of the (also excellent....) book Maximum Linux Security by Anon.
Anyway, I'd like the FAQ to be expanded with:
Re:uhmm (Score:2)
Re:The term `hackers' is misused (Score:1)
I put crackers in my soup.
Re:Are there other releases (Score:1)
¥but they DID make it seem as if there were, didn't they?
[1] - Yes, that was a shameless plug for my website© :-
--
Cognosco: To examine, enquire, learn
oops, url \/ (Score:1)
http://cognosco©datablocks©net/txt/OS_Specific/
--
Cognosco: To examine, enquire, learn
Re:Are there other releases (Score:1)
--
Cognosco: To examine, enquire, learn
Server concern (Score:2)
There are no processes running as servers because it's a default Win2K Professional box. There is noone scanning my ports because I have set up a cheap version of ZoneAlarm (for my own benefit, to make sure my brothers and sisters aren't browsing to weird websites when I'm home for college).
All-in-all, would I even need security if there wasn't the internet? If the machine was just sitting in my room and the only thing that could "attack it" is a 12-year old brother with a misladen hockey stick? Probably not. Sometimes I think this whole bent-up security "focus" of computer hackers comes from their own inherent distrust and annoyance psychologically with the rest of the world.
Re:Server concern (Score:1)
It wouldn't matter much even if you didn't have anything worthwhile on the machine should it be compromised however it can be leveraged as a gateway to attack other machines which can leave you in a bind if you were unaware that your machine is being used as an attack station.
annoyance psychologically with the rest of the world
Personally I think if your involved somehow on the net you should take any kind of precaution regarding security regardless if your running any services, using credit cards, etc., the more you know the easier it'd be to avoid having someone do anything to your machine in a case of not knowing or not giving a shit.
SpeedyGrl.com [speedygrl.com]
Re:I didn't know Linux could do that! (Score:1)
In any case, this was an intentional corruption. A fellatious belief is one that sucks.
Dan.
Re:It misses the real FAQ's... (Score:1)
Re:Why isn't this stored at www.faqs.org? (Score:1)
Re:Looks a good start (Score:1)
Re:Server concern (Score:1)
Wake up, Neo! Wake UP!!!
--------------
Re:Are there other releases (Score:1)
Re:F.i.r.s.t. .p.o.s.t.! (Score:2)
Re:Suggested FAQ (Score:3)
Anyhow, my Linux box is more secure than a run-of-the-mill BSD box as it is unplugged, in a fire-proof lead-lined steel box, encased in eight-foot thick cement, hidden in a secret location, (I'm thinking Batcave(tm)-type places), with an armed penguin on guard!
In any case, I forgot to install TCP/IP support into my kernel :-)
"fellatious beliefs" (Score:1)
The special hardware comes standard on some humans. Others can have it installed, but only at considerable expense (and the old hardware has to be deinstalled permanently). Most fellatious believers will tell you, however, that the conversion is probably WELL worth it.
--
MailOne [openone.com]
Re:Server concern (Score:1)
Section5.2 of the FAQ [linuxsecurity.com] covers this. Kind of. Do you want to explain to the police that you didn't know about the warez and child porn on your hard drive?
Less so, maybe, does your 12-year-old brother never swap Word documents or games with friends? But then who would want to disseminate viruses and trojans, they serve no purpose, right?
It misses the real FAQ's... (Score:3)
No?