On Wed, 4 Oct 2000, Tony Lambiris wrote:
> On Wed, Oct 04, 2000 at 02:32:42PM -0400, Kenneth E. Lussier wrote:
> > If someone is spending a day or two to lock down a box, then they are
> > either extremely inexperienced or their employer is paying them too
> > much. I can lock down a Linux box, regardless of distribution, in under
> > 10 minutes. Anyone that has been reading my posts over the last few
> > years knows that I am a big fan of the Bastille project, as well as
> > MedusaDS9. Both of those tools make hardening a system trivial. Not to
> > mention that Bastille educates the user while they harden a box.
>
> Not knowing what either of these tools are or do, it sounds like they help
> you secure a box? I personally disagree with using 3rd party utils to help
> you secure a box, and I think the reason is pretty obvious. While it may be
> useful to the person just getting into security, it's not something I would
> rely on, or trust for that matter.
>
You write as if you are a security expert (especially given your
domain name), and have no knowledge of
the Bastille project (a group of people developing scripts to harden
Linux installs, and ensure they are set up correctly)? I agree that
the user needs to verify for themselves, but they can also verify the
Bastille scripts. Using Bastille is no different than using SAINT or
another tool to verify that a system is set up correctly.
> > There is a simple point to all of this. Security is not something that
> > you wake up one morning knowing. It is something that is a never ending
> > learning process. If a manager or administrator puts someone in charge
> > of a system that requires high levels of security, then they should find
> > someone with experience. It is not the SysAdmin fault that they were put
> > in charge of a system and told to do something that they had no
> > knowledge of. That blame should lay solely with the department head.
>
> I disagree. We're not talking about a high-profile e-commerce site. We're
> talking about an .edu (notorious for being wide open to exploits). Almost all
> of the "Linux in 24 hour" books tell you the basics of security (i.e.
> inetd.conf, anonymous ftp, etc). You don't need to be a security expert to
> open up inetd.conf and disable what you don't need. You just need common sense
> (hmm, I don't know what imapd is, so I probably won't be using it, so lets
> disable it). It's as simple as that.
>
And if the person isn't an expert, they shouldn't be held responsible
as such. Also, blaming the tool (Linux) for the human error (which is
what this thread was about) is still wrong.
Also, e-commerce or .edu, if it's connected to the internet, it's
vulnerable. That's an issue that the Keene State Administration (not
sysadmin, but PHB's) need to understand.
> Also, no one forced him to be the admin of the box. Like I said, you think
> someone down there would've been clued in the first time the box was rooted.
>
You mean you never took a job for which you had to do on-the-job
training? Must be nice to be competent in everything. And it appears
from the original post that they aren't clued NOW (i.e. they removed
Linux from the campus network because 1 box was used to crack an
outside site).
> > It amuses me that people seem to think that security is something that
> > you learn by reading a book or two. All of today's best practices will
> > not help you tomorrow. Things change that fast. In my opinion, students
> > do not have the time to keep up with their classes as it is. They should
> > not be expected to keep up with network security on top of everything
> > else. It is extremely time consuming and you can't take a day off from
> > it.
>
> Now we're to the point where it should'nt be security, but common sense. I
> still blame Red Hat for enabling everything by default.
>
You can blame Red Hat, but it doesn't make it a bug.
> > As for the names of the people who were responsible for the system in
> > question, I find it disturbing that people on this list feel the need to
> > name them. Not only is it not necessary, but it is unprofessional, and
> > it could be detrimental to those people in the future. The mistakes that
> > they may or may not have made as a college student doing work-study
> > should not be dragged out in public.
>
> Someone wrote be about this, I apologized, because I figured it wasn't a big
> deal, since their name was mentioned in the first post of this thread.
>
To quote from the first post of this thread:
KSC has traditionally had a Linux server that held student accounts
for mail
and web pages. "Junior Sys Admin" was an independent study for
running this
box. This summer it was used by a couple of people to break into
places such as
Bell Atlantic. The college administration has in absolutely no
uncertain terms
decreed that we may only have a Linux box if it is NOT attached to the
outside
world. This is unfortunately not up for any debate. Linux in a
vacum makes
very little practical sense, but that's what we have to work with.
Because
this makes the "Junior Sys Admin" role almost entirely moot, it will
be
WONDERFUL to keep Linux possibilities here through the LUG.
Show me the name in there. Took me 1 second to spot that, 2 seconds
tops to post it here. In fact, you quoted the above post in your
first reply:
Date: Wed, 4 Oct 2000 10:58:38 -0400
From: Tony Lambiris <[EMAIL PROTECTED]>
To: GNHLUG <[EMAIL PROTECTED]>
Subject: Re: KSCLUG
Wherein you, guess what, were the first one to name names. Want to
try again on the excuses?
> > I defy anyone to say that they have
> > never made a mistake that had serious consequences.
>
> I haven't.
>
Right, you forgot the smiley.
>
------------------------------------------------------------------------
Jeffry Smith Technical Sales Consultant Mission Critical Linux
[EMAIL PROTECTED] phone:603.930.9739 fax:978.446.9470
------------------------------------------------------------------------
Thought for today: Christmas tree packet n.
A packet with every single
option set for whatever protocol is in use. See kamikaze packet,
Godzillagram.
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
