On Mon, 15 Apr 2002, tack wrote:
> the more perspecitves we have on this, the better off we'll all be.
I take a somewhat modular approach to security. There is
a base model of restriction that then gets things added onto
it.
Further: NO OPERATING SYSTEM OR FLAVOR OF UNIX IS SECURE. EVER.
Even so-called "secure" operating systems have root exploits
(c.f., OpenBSD's yummy local root exploit of recent days, or the
beautiful OpenSSH holes. . .)
First off, Don't Run Linux.
If you have to, Don't Run RedHat. Build your own from
a Debian or Mandrake install. Half of Redhat's problems
are caught in the fact that it adds all these "services"
that are potential backdoors.
Do not run any daemons that are not necessary for
operation and use firewall rules to disallow traffic
to daemons that don't need access out.
(For example, I run Samba internally, but firwall
rules prevent anyone outside of 192.168.1.* access
to port 139.
I only run the following daemons by default:
sendmail
ssh
syslogd
If possible, run daemons as another user. mysqld
has a --user flag, for example. Apache runs as
nobody.
(Currently, my primary server runs sendmail, ssh, nmbd,
smbd, named, httpd, mysqld, dhcpd, ntpd, syslogd, inetd)
NEVER EVER load ftp, telnet, talkd, ytalkd, fingerd,
tftpd. Ever. If anyone ever sends a password to your
system in cleartext. . . well, it's a threat. The
very paranoid may consider themselves already compromised.
Teach people how to use ssh, scp, or sftp if they need
to. If people want to talk in real time, point them to
an IRC server. Back in the day, tftp had a use on a
desktop; now it is relegated to router configs. Finger
will only serve to allow people account information.
Do not run bind unless you're running a nameserver. If
it is a caching nameserver, make sure firewall prevents
port 53.
I don't run identd, but if you IRC on efnet you'll need
it. Get an identd that spits out a fake string, like
oidentd.
Do you really need NIS or NFS? If you have something
else that does the same job (such as Samba), don't
run both. Create one less point of failure.
I don't run X anymore, but if you do, make sure to
start your server like this:
startx -- -nolisten tcp -bpp 32 2>&1 | tee $HOME/.X-log
This prevents it from accepting commands and allows
you to read a log in case of errors. Unless you log
into the machine as a desktop, you shouldn't even have
to *install* X or any of its components.
(This is why I always build from source. You
never know what libraries some doofus has
required in the rpm binary).
While things like KDE may be super-l33t they are in
reality merely potential paths to being 0wnz0r3d.
Think about it: the bulk of k*/g* apps out there were
written by people with very little experience in
software development, blithly adding buffer overflows
here and there purely by accident. Do you *really*
NEED that version of "ls" that runs in a window?
And are you sufficiently versed in reading source enough
to spot the hidden trojan in the source?
Practice Safe Shell. Don't put anything in your path
you don't need. Never put "." in the path. I have a
.bashrc that dynamically writes $PATH depending on
operating system. You don't need /usr/ccs/bin on
Linux, for example. Make sure your prompt changes
to include # when you're logging as root.
Make good use of groups and setgid. A lot of time
people make directories mode 777 when they only need
mode 775 with a setgid bit. Get to understand exactly
what it means when you "su" into an account, and what
the wheel group is. What's the difference between
"su" and "su -"?
DO NOT GIVE PEOPLE ACCOUNTS THAT YOU DO NOT TRUST. If
you absosmurfly HAVE TO (e.g., a University setting),
consider the machine compromised before anyone ever
logs in and move on. Simply *do not trust the machine.*
EVER.
Make sure you're on the -announce lists for your
operating system. Also subscribe to bugtraq. You'll
end up deleting most of it most of the time, but there
will be times that you'll be able to plug a whole before
anyone else finds out.
Use tools. Schedule them through cron to run automatic
security checks. nmap is your friend. ntop is also
a good real-time monitor. tcpdump, lsof. They aren't
going to prevent, but they can be useful in helping you
bulwark against.
Mostly, it's experience. Read the Armadillo book cover to cover;
that's got so much basic information that your head will burst.
_____________________________________________b r a n d o n h a r r i s___
[EMAIL PROTECTED] www.gaijin.com
_______________________________________________
Bits mailing list
[EMAIL PROTECTED]
http://www.sugoi.org/mailman/listinfo/bits
