On Thu, 10 Jan 2002, Edenyard wrote:
> I've been following all this exchange between Steve and Steven
> regarding security and I'm becoming increasingly concerned and not a
> little perplexed.
Hmmm... sounds like you're asking for a 3rd party
to "mediate" our two views which seem to be at opposite
ends of the spectrum. Maybe if I elaborate a bit, I'll
seem to come closer to the "middle." ;-)
> I use Slackware 8 and I've got a printer.
The lpd (Line Printer Daemon) included with Slackware
isn't known to be vulnerable at this time.
> I also dial
> up the internet sometimes and use netscape. At the risk of being very
> tedious, please could you wizards elaborate on what I should or
> shouldn't do (in simple terms, please!) to stay "safe".
There's no such thing as "safe." There are many
degrees of safety... a huge spectrum of grays between
black and white. Are you "safe enough to be comfortable
with it" might be a better way to express it.
> What are all
> these 'services' that you say people start and then leave running?
A "service" is a daemon type program which listens
for incoming packets, and responds in various ways to
different types of packets.
Let's say you're running a web server. It listens
(normally) on port 80. When it receives a properly
formatted request, it sends back the requested file.
Most likely you'd be running Apache, which is very
stable and very secure.
If you're running M$ IIS, it's a different story.
Someone sends you a Code Red request, your machine is
infected. You back up, reinstall, get the patch and
fix the problem, but then you receive a Code Red II
request. Bang! Your machine is infected again. Once
again you backup, format, reinstall, patch for CR, patch
for CRII. You're "safe" once again. Uh, oh. Here
comes the NIMDA worm. Backup, format, reinstall, CR
patch, CRII patch, NIMDA patch. Each time you patch,
you're "safe" only until a new exploit is discovered.
Isn't this getting tiresome?
No matter how secure you are today, you can be
absolutely certain that some new security hole will
be discovered next week or next month. As with the
latest lpd exploit, it might be a security hole that
doesn't affect your distribution, so it's easy to
become complacent.
Granted, being on dial-up is a plus in this arena.
Being connected for small chunks of time and being
attached to a different IP address each time you
connect makes you not only a moving target, but one
which pops out of sight most of the time.
Some people feel this "bob-and-weave" factor makes
them invulnerable. As I mentioned in an earlier mail,
my father was running a pretty basic default install
of Red Hat 6.2 on a dialup connection when he got
rooted. The script kiddies have programs running all
the time scanning IP blocks. If you happen to pop
onto the net while their radar is aimed in your
direction, you're discovered... and as soon as you're
discovered, you'll be scanned. What will they find?
> Would I have them running after a bogstandard
> Slackware 8 installation procedure?
Last Slack I tried was 3.4 so I really don't have any
idea of what a bogstandard 8 install includes. As root,
do
# netstat -upant
to see what kinds of connections are established, and
what daemons you have listening. From what you've said,
you should probably have X and lpd, and nothing (or
little) else.
If there are more things than those two listening,
you should find out what they are, why they're there,
and determine if you really need them. If not, disable
them.
> Sorry for my ignorance on this - there's obviously tons of
> stuff here that I don't know a thing about....
>
> Thanks for any clues,
The two most important things you can do for security
are
1) Do not run any services open to the world you don't
absolutely need.
2) Stay informed on the status of those services and
make sure you update immediately when any new
security holes are discovered in them.
The second item is the one that usually comes back
to bite you. I don't find any kind of "security errata"
page for Slackware like Red Hat has, so you'd have to
find out how security-conscious slackers keep abreast.
comp.os.linux.security is a good general resource.
- Steve
