On Wed, Oct 04, 2000 at 12:32:44PM -0400, Paul Lussier wrote:
>
> In a message dated: Wed, 04 Oct 2000 10:58:38 EDT
> Tony Lambiris said:
>
> >something happened (can't remember what), and Shilo decided to install Red Hat.
> >First of all, that was probably his first mistake.
>
> Why? I've been running RH systems on servers for more than 5 years now and
> never had a problem with them. Sure, their distribution is buggy at times,
> but it's usually restricted to a small subset of software, and is usually
> fixed quite rapidly. At the least, don't install what's known to be buggy,
> and grab the source for that sw and compile/install it yourself.
>
I never said RH couldn't work in a server environment. Also, not everyone is
running in the same environment as you. Were your servers multi-user
environments? Did you have amd or ftpd running on them? There are a ton of
factors that come into play. I am not impressed. I also don't know how you
can continue to use Red Hat full well knowing that with every release,
there are going to be multiple bugs in the software. Do you run Windows as
well? And in case you missed it, I said the admin did a default install. If he
had deleted packages he did not need, who knows if the crack ever would've
happened.
> >I just read on Slashdot that Red Hat 7.0 had over like 2,500 documented bugs,
> >or something outrageous like that.
>
> Documented and Verified are completely different. If you look a litte more
> closely, what counts as a "Documented" bug is more often than not "Stupid User
> Error". For example, someone reported as a bug the fact that when one does
> not have write permission on a directory/file, they can not edit those files.
>
> That's not exactly a bug!
>
Point taken, but I didn't feel the need to go into the multiple factors
affecting people submitting bug reports. Almost every environment is different.
This is a matter of common sense.
> >I'm not saying Red Hat can't be locked down, but it is definately the
> ^^^^^^^^^
> >last distribution I would look at for a server environment.
>
> Locked down and buggy are again, two different concepts. Just because a
> certain distribution may or may not be buggy has nothing to do with whether or
> not it can be hardened. RH is just like every other distribution
> or Unix system for that matter, when it comes to be locked down. You do
> exactly the same things to harden all Unix systems.
>
Again, pointing out the obvious.
Example: a new exploit comes out that writes a suid root shell to /tmp. First
off, how many people create a seperate tmp partition (I do)? And how many
people set the /tmp partition NOSUID in their fstab (I do)? Of course, if
Red Hat did not decided to include that service (or at least turned on by
default), they would've spared a lot of headaches. Why spend a day or two
locking down Red Hat, when you can install something like OpenBSD and have
it secured in 2 minutes. It's inefficient.
> There is nothing wrong with running RH as a server. Running it as a server
> also has nothing to do with whether or not it can be locked down. We're
> currently running the majority of our servers on RH. Why? They have, hands
> down, the best and easiest installation out there. I can install a RH system
> in about 5 minutes, and have it up and running as a server in under an hour
> (with all the site-specific configurations, hardening, etc.). I can't do that
> with any other distribution, especially with Debian (and I love Debian, they
> just have a really crappy install tool).
>
I beg to differ, apt-get is by far the greatest and most powerful package
installer.
> >That, and coupled
> >with the fact he didn't know how to secure a box made for an easy target.
>
> If you re-read the e-mail, you'll note the problem was not that it was broken
> into, but rather that it was *used* to break into another location. Now,
> whether or not it was used by students who broke into this system and used it
> as a jumping off point to crack into other locations, I don't know.
>
Well let's just put it this way... I have a few friends that attend Keene
State college, and if the cracker was in fact an attendee at KSC, I would've
been told, so the other obvious answer is that the cracker came from an
outside source.
> >I think it was about that time when I knew Keene State College was a waste
> >of my time and money.
>
> Hmm, perhaps you should reconsider, you're spelling can *definitely* use some
> improvement :)
>
Yeah, I guess I really did it this time by misspelling a word. I should
probably go through high school again as a punishiment for such a foolish
thing to do in life.
>
> --
> Seeya,
> Paul
> ----
> I'm in shape, my shape just happens to be pear!
>
> If you're not having fun, you're not doing it right!
>
>
>
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************
--
Tony Lambiris [[EMAIL PROTECTED]]
OpenBSD: Because I care. [www.openbsd.org]
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
