At 12:25 PM 6/2/01, Mark Delany wrote:
>On Sat, Jun 02, 2001 at 05:20:01PM +0200, Boris allegedly wrote:
> > Well, there is no button with a text like "press me here" -)))))
> for
> > the public.
>
>Of course there is, silly.
>
>Now, what do you think most script kiddies do? They don't scour the
>code for exploits as you imply with "there is no button". They simply
>download the hard work of one or two people and install the pre-built
>button. It's trivial. So, "press me here" is as far away as a
>download. You're not seriously suggesting this is a serious secruity
>barrier are you?
This is a very, very good point. We have unfortunately reached a stage
where the crackers don't need to actually _know_ anything
anymore. They download a port scanner and a root kit, and can
compromise your machine without having any real understanding of what's
going on.
You not only have to protect yourself from the skilled, determined
cracker, but also from the unskilled, casual cracker. The former is
far more difficult than the latter, but fortunately the really talented
black hats have better things to do than hit 99% of the machines out
there.
We had a machine compromised by an exploit in the wu-ftpd package a
couple of years ago. Fortunately, I happened to be on the machine when
it occurred, and was able to monitor the cracker's activities and shut
him down before he was able to cause any real damage.
Based upon the things he typed, he had no idea what he was doing:
cd /etc/init.
cd /etc/init.d
ls
cd etc
ls
ls init*
ls rc*
cd rc.local
ls
ls -al rc.*
cd init.d
And yet, in the space of 5-10 minutes, he was able to break in and
install three trojans.
Sendmail can be secure, if you really know what you're doing and stay
on top of the patches that come out (every three days or so). I don't
have that kind of time, so I'd rather have a mail server that is secure
out of the box. We've been gradually migrating our domains from
sendmail to qmail over the last ~year; I've had to patch sendmail at
least twice, qmail hasn't needed anything since install.
I can deal with (sometimes) sketchy documentation and the hassle of
installing 12 different things to get the results I want - that's
still easier than restoring a machine that's been compromised.
Todd
