Tony Lambiris wrote:
>
> On Wed, Oct 04, 2000 at 02:32:42PM -0400, Kenneth E. Lussier wrote:
> Not knowing what either of these tools are or do, it sounds like they help
> you secure a box? I personally disagree with using 3rd party utils to help
> you secure a box, and I think the reason is pretty obvious. While it may be
> useful to the person just getting into security, it's not something I would
> rely on, or trust for that matter.
Please define 3rd party tools. Both of the above mentioned are open
source security tools, MedusaDS9 being kernel implimentaions. As for the
reason that you claim to be so obvious for not using seurity tools, I
disagree that it is obvious. I have no idea why you would not use
security tools. Of course, this is completely dependant upon you
definition of 3rd part tools. But I would rather depend on a third party
tool that I can verify if my other option is to depend on the word of
the *BSD maintainers.
>
> I disagree. We're not talking about a high-profile e-commerce site. We're
> talking about an .edu (notorious for being wide open to exploits).
Since they are so notorious for being insecure, then they should take it
a bit more seriously. Since they are cracked so often, and they are
common targets, then they *ARE* high profile, and they need to be more
carefull.
> Almost all
> of the "Linux in 24 hour" books tell you the basics of security (i.e.
> inetd.conf, anonymous ftp, etc). You don't need to be a security expert to
> open up inetd.conf and disable what you don't need. You just need common sense
> (hmm, I don't know what imapd is, so I probably won't be using it, so lets
> disable it). It's as simple as that.
First off, it's a really nice phrase "disable what you don't need". I
like it. But it doesn't make a box secure. What if the purpose of the
box is to be an anonymous ftp server? You need anonymous ftp, so you
leave it in there. But, you don't need telnet, so you take it out. Does
that make the box secure? Nope... As for the "Linux in 24hrs" books, I
liken them to "Become a Doctor in 24hrs". I wouldn't go to that doctor.
> Also, no one forced him to be the admin of the box. Like I said, you think
> someone down there would've been clued in the first time the box was rooted.
I'm sure that no one forced him to be the admin. However, it was a
work-study, and therefore, by nature, it is a learning experience. If no
one took the time to educate him on network security, then he should not
be expected to be knowledgable about it, nor can be held accountable for
the outcome.
> > It amuses me that people seem to think that security is something that
> > you learn by reading a book or two. All of today's best practices will
> > not help you tomorrow. Things change that fast. In my opinion, students
> > do not have the time to keep up with their classes as it is. They should
> > not be expected to keep up with network security on top of everything
> > else. It is extremely time consuming and you can't take a day off from
> > it.
>
> Now we're to the point where it should'nt be security, but common sense. I
> still blame Red Hat for enabling everything by default.
You are right. It is common sence. The administration should not expect
a student to be a security administrator if they have not provided any
training. As for blaming RedHat, you can blame them all you want. Your
blame does not make your statements correct.
> > I defy anyone to say that they have
> > never made a mistake that had serious consequences.
>
> I haven't.
There are three possabilities for this statement:
1) You have made the mistakes but were never aware of the consequences
2) You have made the mistakes and someone else was good enough to make
sure you never found the problem
3) You're a liar and in you anagorace efforts to be correct, you attempt
to make yourself look better by denying responsibility for your
mistakes.
--
Kenny Lussier
Systems Administrator
Mission Critical Linux
***********************************************************
Life is a lesson, you learn it at the end
Reality has become increasingly less accurate
***********************************************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
