Re: secure installation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Johannes Wiedersich wrote: Javier Fernández-Sanguino Peña wrote: Did you actually tried update-notifier on KDE? Yes, it was installed on my system for some months, but it never informed me about any update. (I get informed via debian-security-announce, though and install updates 'by hand'. ) OK. I purged update-[manager|notifier] and reinstalled them. Now they work as expected. I don't know what messed up my configuration, since I don't remember ever touching it by hand. (It was installed before etch went stable, though.) I have adept updater installed on another etch box. It also seems to work ok, although it choked and crashed on the 'warning message' of the last kernel update [1]. Johannes [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=405716 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG3mJhC1NzPRl9qEURAoavAJ9qwOQ8ncICC+GwPfmATmo7WyatkACeIfvP ceNBf80Vi0SpnFqr6h3grhw= =PYnA -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Wed, 05 Sep 2007 10:01:37 +0200 Johannes Wiedersich [EMAIL PROTECTED] wrote: It was installed before etch went stable, though. That shouldn't effect anything or at least development tries to avoid that kind of errors. --- Henri Salo fgeek at fgeek.fi +358407705733 GPG ID: 2EA46E4F fp: 14D0 7803 BFF6 EFA0 9998 8C4B 5DFE A106 2EA4 6E4F signature.asc Description: PGP signature
Re: secure installation
On Wed, Aug 22, 2007 at 09:29:10AM +0200, Johannes Wiedersich wrote: - From the documentation I gather, that update-manager would probably work on kde, but that it just checks, if the package information has changed. This would have to occur either manually or by some cron job, cron-apt etc. So _at least_ it requires reading some manuals and manual configuration. update-notifier also does not suggest or recommend cron-apt or any other backend to commit the required 'aptitude update'. Did you actually tried update-notifier on KDE? update-notifier checks himself if the package information has changed periodically. There's no need for update-notifier to depend on cron-apt or any 'backend' as it already does the job. If you ask it to install new software it will run update-manager. Regards Javier signature.asc Description: Digital signature
Re: secure installation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Javier Fernández-Sanguino Peña wrote: On Wed, Aug 22, 2007 at 09:29:10AM +0200, Johannes Wiedersich wrote: - From the documentation I gather, that update-manager would probably work on kde, but that it just checks, if the package information has changed. This would have to occur either manually or by some cron job, cron-apt etc. So _at least_ it requires reading some manuals and manual configuration. update-notifier also does not suggest or recommend cron-apt or any other backend to commit the required 'aptitude update'. Did you actually tried update-notifier on KDE? Yes, it was installed on my system for some months, but it never informed me about any update. (I get informed via debian-security-announce, though and install updates 'by hand'. ) update-notifier checks himself if the package information has changed periodically. There's no need for update-notifier to depend on cron-apt or any 'backend' as it already does the job. If you ask it to install new software it will run update-manager. That's what I would expect from its description in 'aptitude show update-[manager|notifier]. The README, however states a different story: / more /usr/share/doc/update-notifier/README Upgrade notifier tray icon - -- This is a small tray icon that backgrounds itself and checks for upgrades. It does nothing more. It must be ensured by other means (like a cron job) that a regular apt-get update is done. This is ensured by installing a option into /etc/apt/apt.conf.d to trigger a cron update script. It uses FAM to monitor /var/lib/apt/lists/* and /var/lib/update-notifier/dpkg-run-stamp. If they change it updates it's status. Needs libgnomeui2.0-dev and libhal-dev to build and gksu to run. Based on ideas of Matt Zimmerman und Jeff Waught. Tray example from Lukas Lipka [EMAIL PROTECTED]. Lot's of cleanups from Michiel Sikkes. Thanks! Michael Vogt \== Note, that I don't even have fam installed, I have gamin for some reasons I don't know or remember. My personal conclusion: Simply installing update-manager (on etch) does not necessarily notify the user of security updates. It might 'automagically' work in some situations, but as long as it doesn't do so in _any_ situation it will just make newbee users feel comfortable, while not providing notifications about security updates. Johannes -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGzUIcC1NzPRl9qEURAqLWAJsF/KhVriRFk23Iza9JiDsGVpL53ACaAtLp bhfbfThn0YX259o8fhDhYow= =XHPc -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Thu, 23 Aug 2007, Johannes Wiedersich wrote: Note, that I don't even have fam installed, I have gamin for some reasons I don't know or remember. just to exclude one problem: I have gamin as well, instead of fam, and update-notifier works fine here (on gnome). Bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel. (OAC): +39 070 71180 248 Fax : +39 070 71180 222 Tel. (UNICA): +39 070 675 4916 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _ -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Thu, Aug 23, 2007 at 10:15:25AM +0200, Johannes Wiedersich wrote: Did you actually tried update-notifier on KDE? Yes, it was installed on my system for some months, but it never informed me about any update. (I get informed via debian-security-announce, though and install updates 'by hand'. ) You are absolutely right. Now that I look at both the code and my system it turns out it's working OK here because I also have cron-apt installed. Fact is, upgrade-notifier's source code contains a cron script for that, it's just not activated so for the time being. I guess installing cron-apt should fix that. update-notifier checks himself if the package information has changed periodically. There's no need for update-notifier to depend on cron-apt or any 'backend' as it already does the job. If you ask it to install new software it will run update-manager. That's what I would expect from its description in 'aptitude show update-[manager|notifier]. Yes, and from the manpage. I'm going to go and file a bug. Regards Javier -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [OT] Warranty was Re: secure installation
I believe Microsoft software comes with NO WARRANTY as well. Hell, we should read the small print on all software... It does come with a warranty, at least in Germany/Europe. Everything you *pay* for has by law two years of warranty. The problem is that almost no one knows that they have this warranty on software. The act you are referring to is only absolutely binding for contracts between a company and a consumer, not for contracts between two companies. Willi -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Thu, Aug 23, 2007 at 10:15:25AM +0200, Johannes Wiedersich wrote: Simply installing update-manager (on etch) does not necessarily notify the user of security updates. It might 'automagically' work in some situations, but as long as it doesn't do so in _any_ situation it will just make newbee users feel comfortable, while not providing notifications about security updates. I've further investigated this issue. The fact is, the tool that *actually* updates the package database is /etc/cron.daily/apt, that task is installed by Apt, you don't need cron-apt to do it. This cron task uses the Apt::Periodic [1] configuration which is set, for example, in GNOME through the /usr/bin/software-properties application (called in by the desktop System - Admin -Software origins - Updates). Through the GUI you can be set when check for updates (and modify Apt's configuration accordingly). I believe by default, in GNOME, it is configured to download the lists (but no the packages themselves) daily. The fact that update-notifier doesn't work in KDE for you might be because either you don't have installed (or KDE lacks) and application that handles that piece of Apt's configuration for you, or maybe because some other application mangled it. In my /etc/apt/apt.conf.d/10periodic file (file installed by update-manager) I have this: APT::Periodic::Update-Package-Lists 1; APT::Periodic::Download-Upgradeable-Packages 0; You probably have something else there? Regards Javier [1] A configuration option of Apt which is used, but currently not documented :) (#438559) signature.asc Description: Digital signature
Re: secure installation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Javier Fernández-Sanguino Peña wrote: I didn't say what you put here and do not have any intention to start a flamware. I'm just saying that Debian KDE users with no update-notifier *might* not be *as* aware of available security updates as users of GNOME with it. That's it. (Notice the use of 'might' in both of my statements) Sorry for my misunderstanding you. It's been a busy day. Maybe the lack of an update-manager for kde just reflects the fact that kde users are more security aware and don't need as much automatic nagging. (I am not claiming that this is the case, I am just claiming that it is just as legitimate to claim the opposite of what you have been claiming. ) Actually, I've just found that there is actually an update-notifier for KDE, it's provided by adept (a package management interface similar to synaptic). Try installing adept-notifier. - From the documentation I gather, that update-manager would probably work on kde, but that it just checks, if the package information has changed. This would have to occur either manually or by some cron job, cron-apt etc. So _at least_ it requires reading some manuals and manual configuration. update-notifier also does not suggest or recommend cron-apt or any other backend to commit the required 'aptitude update'. I will check, if adept-notifier will work in a more straightforward manner. Friendly regards, Johannes -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGy+XAC1NzPRl9qEURAk/AAJ4ua0NU5rgbb15nwDO8M36S/tB7ywCfefhn DsGIbhsN5fuLP8ibfrdipOw= =yBTx -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Tue, Aug 21, 2007 at 03:50:44PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote: On Tue, Aug 21, 2007 at 09:32:35AM +, [EMAIL PROTECTED] wrote: is one of those installed by default ? No, as I said, users have to select one of them and install it themselves. well, I think you make an excellent point that Debian has really good documentation that points all this out, but I worry about assuming that users will read it. I can only assume that the question of whether to include firestarter in the default install will have been considered and will continue to be reconsidered by folk who are looking at the question more closely than I am. From the outside it seems a little odd. I wonder whether something like the tasks dialogue that you get on windows sbs might make a useful addition to direct users to the documentation. And I still wonder whether there isn't a sufficiently different needs for users of differing experience that it might make sense to have an option at install time. It is a commonly used idiom. Regards, Paddy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
[OT] Warranty was Re: secure installation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jose Marrero wrote: I believe Microsoft software comes with NO WARRANTY as well. Hell, we should read the small print on all software... It does come with a warranty, at least in Germany/Europe. Everything you *pay* for has by law two years of warranty. The problem is that almost no one knows that they have this warranty on software. If people encounter problems, it is often difficult to fix them, but for the average M$ user it is even more difficult - - to prove that it actually is a bug in the software. - - to ask the shop for a fix. (Legally the buyer has a contract with the seller of the product, so technically the warranty is issued by the shop, not by the producer of the software. This puts companies like microsoft in the convenient situation of taking all their money for the sale without having to deal with problems later on.) Johannes -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGzBdeC1NzPRl9qEURAtODAJ0b33i1hzCzityWxPsDn9lR9FqkGACfTYGw wIkgurvQ1/+tBeB7ULkhH2s= =PMpE -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
Javier Fernández-Sanguino Peña wrote: Actually, I've just found that there is actually an update-notifier for KDE, it's provided by adept (a package management interface similar to synaptic). Try installing adept-notifier. Perhaps it's time to revisit droppimg kpackage from kde-desktop and adding adept. The kde task could use more people using it and making decisions like this about its contents. -- see shy jo signature.asc Description: Digital signature
Re: secure installation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Javier Fernández-Sanguino Peña wrote: On Fri, Aug 17, 2007 at 10:01:54AM +0200, Johannes Wiedersich wrote: PS 2: While we are at it: debian by default also does not install or enable an automated system to install security updates. It is the responsibility of the user to decide whether and when security updates are installed. Not exactly true. If you are installing a Debian system with a network connection the installation system will add security.debian.org automatically to your sources lists and update the packages you were going to install from CD/DVD from that source. Automatically, unless the user goes into a 'power-user' configuration or the system is not connected to the network. Not exactly true. Debian adds security repositories to apt's sources, that's true. But it does _not_ automatically install them on your system. It was my point that debian does not by default provide an automated system to _install_ security updates. Also, a Debian etch install of the Desktop environment (or just the GNOME environment) brings you 'update-manager' which *is* a system to install security updates if the box has been configured with a proper security source (which happens out of the box for most network-connected installations). In this case security updates are not, however, forced on you. You just get a gently reminder that they are available. So even automatic _reminders_ to install security updates are only enabled, if the user either installs gnome (I use kde) or specifically knows of and installs the appropriate tool. I have not tried exhaustively, but update-manager does not appear to work 'automatically' with kde, at least not for myself. It only works, if I start it manually and that's even less convenient than a simple 'aptitude update; aptitude upgrade'. Note that I am not saying that I miss this 'automatic security'. Conversely, my point was that the user should be educated to know and care about security and should not be educated to trust any 'automatic security'. Johannes -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGyo2fC1NzPRl9qEURAkqFAJ45dIcd+u5NpkzG6fGj+OCDAVlXmACfUGtK WZahMAPAIIUWLWW8Ch4GfYU= =L8Qx -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Tue, Aug 21, 2007 at 09:00:47AM +0200, Johannes Wiedersich wrote: So even automatic _reminders_ to install security updates are only enabled, if the user either installs gnome (I use kde) or specifically knows of and installs the appropriate tool. I have not tried exhaustively, but update-manager does not appear to work 'automatically' with kde, at least not for myself. It only works, if I start it manually and that's even less convenient than a simple 'aptitude update; aptitude upgrade'. It is an interesting problem. If you wanted to be reasonably sure that such a reminder would reach the user (unless it were explicitly disabled), regardless of the choice of UI style, how would you do it ? I imagine one of the available options would send you an email ? or you could stick it the MOTD ... whatabout headless web-interface controlled systems ? Is the whole idea of such mandatory features really compatible with Debian, or more generally, software freedom ? Regards, Paddy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Mon, Aug 20, 2007 at 07:51:30PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote: IMHO the distro already solves the problem. See http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-setup (more in depth at http://wiki.debian.org/Firewalls) Each users have their different set of needs and Debian provides different firewalling tools for each of them: - Are you a novice user running GNOME: use firestarter (don't use gnome-lokkit, it's no longer developed) is that installed by default ? - Are you a novice user running KDE: use guarddog or knetfilter is one of those installed by default ? Regards, Paddy Smith -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Tue, Aug 21, 2007 at 09:32:35AM +, [EMAIL PROTECTED] wrote: is one of those installed by default ? No, as I said, users have to select one of them and install it themselves. Regards Javier signature.asc Description: Digital signature
Re: secure installation
On Tue, Aug 21, 2007 at 09:00:47AM +0200, Johannes Wiedersich wrote: Not exactly true. Debian adds security repositories to apt's sources, that's true. But it does _not_ automatically install them on your system. It was my point that debian does not by default provide an automated system to _install_ security updates. Yes, a Debian default install *does* install security updates. Please read Selecting and Installing Software http://d-i.alioth.debian.org/manual/en.i386/ch06s03.html#di-system-setup This step takes place after apt is configured to add external sources and, as the manual says, Even when packages are included on the CD-ROM, the installer may still retrieve them from the mirror if the version available on the mirror is more recent than the one included on the CD-ROM. This is not even specific for etch, it has been true for some releases already. So even automatic _reminders_ to install security updates are only enabled, if the user either installs gnome (I use kde) or specifically knows of and installs the appropriate tool. I have not tried exhaustively, but update-manager does not appear to work 'automatically' with kde, at least not for myself. It only works, if I start it manually and that's even less convenient than a simple 'aptitude update; aptitude upgrade'. GNOME is the *standard* desktop environment in Debian. A default Debian installations installs both KDE and GNOME but gdm is the default window manager and when users login they get into a GNOME Desktop by default. So your if the user either installs gnome... conditional is moot. Note that I am not saying that I miss this 'automatic security'. Conversely, my point was that the user should be educated to know and care about security and should not be educated to trust any 'automatic security'. Educating users also involves raising awareness that they *have* to keep their system up-to-date with security patches both to prevent local and remote exploits. The fact that KDE (or Xfce) does not have an equivalent to the update-manager is IMHO, worrisome, as users of that Desktop environment might not be as aware of this need as users of GNOME. Update-manager makes a good job at highlighting security updates and explaining why are they needed. Even if it does not force users to install them. Regards Javier signature.asc Description: Digital signature
Re: secure installation
On Tue, Aug 21, 2007 at 09:06:18AM +, [EMAIL PROTECTED] wrote: I imagine one of the available options would send you an email ? or you could stick it the MOTD ... whatabout headless web-interface controlled systems ? For those systems there's cron-apt and debsecan. Your choice. Both use the local MTA to deliver their message. This is more or less explained in the Keep your system secure section of the Securing Debian Manual http://www.debian.org/doc/manuals/securing-debian-howto/ch10.en.html#s-keep-secure although it's a bit dated (doesn't explain debsecan too much, doesn't mention update-manager and mentions Tiger, which I should remove from there). Regards Javier signature.asc Description: Digital signature
Re: Secure Installation
On Fri, Aug 17, 2007 at 03:04:42PM -0700, Jack T Mudge III wrote: On Thursday 16 August 2007 15:09, R. W. Rodolico wrote: Unfortunately, I have to point to some of the user oriented firewalls you get for windoze (which, to my knowledge, Linux does not have). When they are installed, the shut down basically everything incoming, and all but a few standard outgoing ports (http, smtp, pop and imap). When an application tries to go out of another port, a pop-up informs the user and they can choose to accept, accept or reject, with a forever modifier on both, and the firewall changes its rules appropriately. The problem with these lies on 2 levels. The first is that all network traffic would have to somehow be routed through this application, which in windows is no big deal as all that is already in place. But we haven't installed that infrastructure, so it would be tougher to get that running in the first place. This is not a primary concern regarding the firewall, but it is an issue if we do eventually decide to integrate a firewall like that. Iptables can already do this, it can communicate with user-space applications. There's just no desktop-oriented firewall application (that I know of) that uses this feature to use this feature. Some applications (firestarter at least), however, do allow you to see the firewall logs and enable/disable rules based on rejected traffic. Not very intuitive, however, and no information of which process is responsible for the outgoing communication or would receive the incoming communication. Regards Javier signature.asc Description: Digital signature
Re: secure installation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Javier Fernández-Sanguino Peña wrote: On Tue, Aug 21, 2007 at 09:00:47AM +0200, Johannes Wiedersich wrote: Not exactly true. Debian adds security repositories to apt's sources, that's true. But it does _not_ automatically install them on your system. It was my point that debian does not by default provide an automated system to _install_ security updates. Yes, a Debian default install *does* install security updates. Only at the installation. It does *not* automatically install security updates on a regular basis, and that was my point. Read my mail again. So even automatic _reminders_ to install security updates are only enabled, if the user either installs gnome (I use kde) or specifically knows of and installs the appropriate tool. I have not tried exhaustively, but update-manager does not appear to work 'automatically' with kde, at least not for myself. It only works, if I start it manually and that's even less convenient than a simple 'aptitude update; aptitude upgrade'. GNOME is the *standard* desktop environment in Debian. A default Debian installations installs both KDE and GNOME but gdm is the default window manager and when users login they get into a GNOME Desktop by default. So your if the user either installs gnome... conditional is moot. User's choices are different. There is an official installation CD that installs kde without gnome. A *standard* installation installs neither gnome nor kde, though the desktop task may install both (haven't checked in a while). Note that I am not saying that I miss this 'automatic security'. Conversely, my point was that the user should be educated to know and care about security and should not be educated to trust any 'automatic security'. Educating users also involves raising awareness that they *have* to keep their system up-to-date with security patches both to prevent local and remote exploits. The fact that KDE (or Xfce) does not have an equivalent to the update-manager is IMHO, worrisome, as users of that Desktop environment might not be as aware of this need as users of GNOME. I agree with the first half of that statement, but I fail to grasp why kde users (including, say Linus T.) should be less aware of security than gnome users. Are you just trying to start a flame? Maybe the lack of an update-manager for kde just reflects the fact that kde users are more security aware and don't need as much automatic nagging. (I am not claiming that this is the case, I am just claiming that it is just as legitimate to claim the opposite of what you have been claiming. ) Update-manager makes a good job at highlighting security updates and explaining why are they needed. Even if it does not force users to install them. Agreed. Johannes -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGywEnC1NzPRl9qEURAsQyAJ40DUCVW6tz1d4ujb0kh5S/hRqo8gCfRBQB MFclivScgKI6fKG+bFb7Aq8= =oXmV -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Secure Installation
On Dienstag 21 August 2007, Javier Fernández-Sanguino Peña wrote: Iptables can already do this, it can communicate with user-space applications. There's just no desktop-oriented firewall application (that I know of) that uses this feature to use this feature. There is one - fireflier by Martin Maurer. Surprisingly, it has not received much interest so far, despite having been a proper Debian package for some time now. I still think it is a good implementation of a desktop-style firewall for Linux, and it's available right now. This might be a good moment to try it though, as Martin is considering to drop upstream development due to lack of user interest ;-) with best regards, Rene signature.asc Description: This is a digitally signed message part.
Re: secure installation
On Tue, Aug 21, 2007 at 05:13:43PM +0200, Johannes Wiedersich wrote: Educating users also involves raising awareness that they *have* to keep their system up-to-date with security patches both to prevent local and remote exploits. The fact that KDE (or Xfce) does not have an equivalent to the update-manager is IMHO, worrisome, as users of that Desktop environment might not be as aware of this need as users of GNOME. I agree with the first half of that statement, but I fail to grasp why kde users (including, say Linus T.) should be less aware of security than gnome users. Are you just trying to start a flame? I didn't say what you put here and do not have any intention to start a flamware. I'm just saying that Debian KDE users with no update-notifier *might* not be *as* aware of available security updates as users of GNOME with it. That's it. (Notice the use of 'might' in both of my statements) Maybe the lack of an update-manager for kde just reflects the fact that kde users are more security aware and don't need as much automatic nagging. (I am not claiming that this is the case, I am just claiming that it is just as legitimate to claim the opposite of what you have been claiming. ) Actually, I've just found that there is actually an update-notifier for KDE, it's provided by adept (a package management interface similar to synaptic). Try installing adept-notifier. Regards Javier signature.asc Description: Digital signature
Re: secure installation
On Fri, Aug 17, 2007 at 09:41:41AM -0400, Celejar wrote: On Thu, 16 Aug 2007 16:49:36 -0700 Russ Allbery [EMAIL PROTECTED] wrote: [snip] Firewalls are good in the situation where, whenever you open up new network access, you want to have to make that choice independently in multiple locations. I'm dubious that this matches the desires of the average user or that forcing them to do this will really result in more security as opposed to further training to just always click Okay. It's great for administrators who want paranoid control over such things. I'm no security expert, but I would suggest that a benefit of 'Personal' firewalls is the provision of a simple, systematic way of restricting access to services. Yes, many apps offer some way of doing this, but remembering each one's different method of doing this can be a headache. I suppose one really should, for maximum security, but I think there's still benefit in a simpler, consistent system. Additionally, not all apps do this the same way; for example, sshd can be configured to bind to a specific IP address, but what if the address is unknowable in advance? Can it be limited to a specific interface, as can be accomplished with a firewall? Even if the answer is yes, my point about simplicity remains. I may be off base here; I'm just expressing my (limited) understanding of the issue. no, you are bang on the mark! absolutely spot on! I can't help wondering if the problem is more one of the distro being able to solve the problem of how to supply an implementation, and I'm not sure how much further forward the conversation can move without getting its hands dirty. Regards, Paddy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Fri, Aug 17, 2007 at 07:15:06PM +0100, Joe wrote: Pat wrote: Whose responsibility is it, in the US if you manufacture a defective product legally it is your responsibility if someone is harmed. There's a bit of a difference between a defective product and one incorrectly used. When a driver knocks down a pedestrian, should the car manufacturer be the party that gets prosecuted? Cars are a difficult example. Experience has shown that they are inherently dangerous in the hands of the driving population as a whole. People will die, by design. That's not a defective product, that's a dangerous product. The car industry knows this and spends money trying to mitigate the problem, and governments know this and regulate to try to mitigate the problem. Software failures *are* in the worst cases life threatening, and everyday non-safety-critical systems can easily be a very serious nuisiance to other users. Regards, Paddy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On 8/20/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Software failures *are* in the worst cases life threatening, and everyday non-safety-critical systems can easily be a very serious nuisiance to other users. I propose we stick a label on: This software is not meant to be run in life support systems. Oh wait, tis already there... Debian comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Settled then? :-P regards, Izak -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 thus defeat the purpose). A default firewall simply can't work, even if we had some way to implement it perfectly for all packages (without breaking any, which we undoubtedly would). It all depends on context - I agree that a default firewall for debian is stupid, but if you look at the way an OpenBSD box looks when the default install is done, that is my ideal. I happen to prefer the way thing generally are done in debian, but on the initial install, OpenBSD whips any other OS I've seen. It has pf on by default and only allows SSH connections. Ideal. Would that be a good idea for a workstation? No - nightmare. Is it a good idea for a server? Yes absolutely. Servers, unless they are packaged appliance distros or subdistros, should always have the bare minimum of services and allow SSH only by default. $.02 _a - -- alex black, founder the turing studio, inc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (Darwin) iD8DBQFGydOsAHZuLuydb2YRAuAsAJ4gdXkilHb7NNUBnC5uKpYoG6VIJACdFZTK Azi/tVYEPnuIAwLX/atPaE8= =DJ5Y -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Mon, Aug 20, 2007 at 09:04:18AM +, [EMAIL PROTECTED] wrote: I'm no security expert, but I would suggest that a benefit of 'Personal' firewalls is the provision of a simple, systematic way of restricting access to services. Yes, many apps offer some way of doing this, but remembering each one's different method of doing this can be a headache. I suppose one really should, for maximum security, but I think there's still benefit in a simpler, consistent system. Additionally, not all apps do this the same way; for example, sshd can be configured to bind to a specific IP address, but what if the address is unknowable in advance? Can it be limited to a specific interface, as can be accomplished with a firewall? Even if the answer is yes, my point about simplicity remains. I may be off base here; I'm just expressing my (limited) understanding of the issue. no, you are bang on the mark! absolutely spot on! I can't help wondering if the problem is more one of the distro being able to solve the problem of how to supply an implementation, and I'm not sure how much further forward the conversation can move without getting its hands dirty. IMHO the distro already solves the problem. See http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-setup (more in depth at http://wiki.debian.org/Firewalls) Each users have their different set of needs and Debian provides different firewalling tools for each of them: - Are you a novice user running GNOME: use firestarter (don't use gnome-lokkit, it's no longer developed) - Are you a novice user running KDE: use guarddog or knetfilter - Are you an admin that wants a nice interface: use shorewall, fwbuilder or firehol As you have different tools to use you just have to select one and use it. The default installation of the desktop environment does not install multiple firewall frontends as they would conflict between each other. The user has to make a decision as to which one they prefer to use (if any). Regards Javier signature.asc Description: Digital signature
Re: secure installation
On Fri, Aug 17, 2007 at 12:24:27AM +0200, Izak Burger wrote: On 8/16/07, Jack T Mudge III [EMAIL PROTECTED] wrote: My personal view is that there are plenty of simpler distributions out there, knoppix for first-time users, Ubuntu/Suse for novices, and RedHat for people who need hand-holding. Debian is primarily for advanced users, and for users who have someone looking over their shoulder. We shouldn't over-simplify debian so that users not in it's target audience can use it. I like your viewpoint. I was just trying to remember exactly what is open to the world on a brand new ubuntu installation, but I haven't done a new install in a while so this is up to memory. I know there is no MTA. There is also no sshd or portmap. Not even an inetd. It will however respond if you ping it. Now THAT is the sort of thing I like. Secure out of the box. You'll find that a simple default Debian installation of etch is not really that exposed: - exim MTA configured to loopback only - portmap installed, open to the world, but can be configured for loopback only - identd installed, but with no services which makes it not run at all (unless you install some other inetd services that is). - sshd (server) not installed by default Portmap is needed for NFS support out of the box and, IIRC, for GNOME's fam but can easily be configured to be loopback-only. Ubuntu decided on a no open ports policy [0] in their first releases (which was a very good choice, if you ask me). They did *not* drop portmap initially (FAM depended on it) but they made it not listen to the network as the user segment they were catering for (desktop-oriented users) doesn't need or use NFS, at least not all of them (see [1] https://bugs.launchpad.net/ubuntu/+source/portmap/+bug/50558). Also, in earlier releases (5.x) an MTA (Postfix) was included. Later releases (6.06) dropped portmap altogether. But the latest release (6.10) [2] installs Avahi (mDNS) open to the world, they decided to do this due to the features it provided (Zeroconf) and after making sure it had been properly audited. However, there have been more Avahi vulnerabilities (3 DoS and 1 remote BoF since 2006) than there have been in Wietse Venema's portmap's (1 DOS vulnerability in 1998). I do not want to get into a flamewar on who's more secure, those are just the facts. I just want to show how design decisions affect the selection of the default install software. Debian caters to a larger population than Ubuntu's which means that Ubuntu developers can be more restrictive on what they put on the default installation. BTW, The reason that Debian's portmap can now be bound only to the loopback interface in Desktop environments (if configured to do so) is that we merged in a patch from Ubuntu that did this precisely. Regards, Javier [0] https://wiki.ubuntu.com/DefaultNetworkServices [1] https://bugs.launchpad.net/ubuntu/+source/portmap/+bug/50558 [2] https://help.ubuntu.com/community/HowToZeroconf signature.asc Description: Digital signature
Re: secure installation
On Fri, Aug 17, 2007 at 10:01:54AM +0200, Johannes Wiedersich wrote: PS 2: While we are at it: debian by default also does not install or enable an automated system to install security updates. It is the responsibility of the user to decide whether and when security updates are installed. Not exactly true. If you are installing a Debian system with a network connection the installation system will add security.debian.org automatically to your sources lists and update the packages you were going to install from CD/DVD from that source. Automatically, unless the user goes into a 'power-user' configuration or the system is not connected to the network. Also, a Debian etch install of the Desktop environment (or just the GNOME environment) brings you 'update-manager' which *is* a system to install security updates if the box has been configured with a proper security source (which happens out of the box for most network-connected installations). In this case security updates are not, however, forced on you. You just get a gently reminder that they are available. Regards Javier signature.asc Description: Digital signature
Re: secure installation
On Monday 20 August 2007 10:47, alex black wrote: thus defeat the purpose). A default firewall simply can't work, even if we had some way to implement it perfectly for all packages (without breaking any, which we undoubtedly would). It all depends on context - I agree that a default firewall for debian is stupid, but if you look at the way an OpenBSD box looks when the default install is done, that is my ideal. I happen to prefer the way thing generally are done in debian, but on the initial install, OpenBSD whips any other OS I've seen. It has pf on by default and only allows SSH connections. Ideal. Would that be a good idea for a workstation? No - nightmare. Is it a good idea for a server? Yes absolutely. Servers, unless they are packaged appliance distros or subdistros, should always have the bare minimum of services and allow SSH only by default. $.02 _a -- alex black, founder the turing studio, inc. I apologize if what I meant was clear. I declined to include the word 'debian' here, because the context is clear from previous posts in the thread. Excellent point, though. Workstations don't need a firewall. Servers probably do. I don't disagree (I wholly agree, actually). However, the typical server is set up by someone who knows what they're doing (not someone who would need help setting up a firewall), and has specific requirements. My intention wasn't to say a default firewall can never work, but that it can't work for debian, given the community/ideology and existing user-base surrounding it. -- Sincerely, Jack [EMAIL PROTECTED] My GPG Public Key can be found at: https://www.theanythingbox.com/pgp.htm (top link is current) I appreciate signatures, but if you only know me online, please use the --lsign-key, not the --sign-key. I appreciate trust -- but too much makes it less valuable. pgpF4DVf2mZid.pgp Description: PGP signature
Re: secure installation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 My intention wasn't to say a default firewall can never work, but that it can't work for debian, given the community/ideology and existing user-base surrounding it. Ah, now we disagree: I just think you should have install profiles and make reasonable, basic assumptions based on that profile. Uh, disclosure of ignorance: it has actually been more than two years since I installed debian myself - everything is virtualized so I just get copies of a default install. Anyway: for a workstation install: no firewall, install X, etc etc.. For a server: default 22 only, ssh only, no other processes but those that are necessary to run the os. _a -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (Darwin) iD8DBQFGyfEcAHZuLuydb2YRAlStAJwP0pOfzOxvDEdrut/WyfdD7kq2xACeMYSv JKNBAZBfHOgoLBQXSQhmZBM= =KFFX -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Fri, 17 Aug 2007 19:15:06 +0100 Joe [EMAIL PROTECTED] wrote: [snip] A few points I think should be mentioned that have not yet been: Egress filtering in Windows personal firewalls, and finally built into Vista, is there in response to spyware. This is not yet a Linux problem, and is never likely to be as severe, but it will happen when children start using Linux in significant numbers. These firewalls also tend to monitor the originating executable, and warn the user when its signature changes, something we would normally associate with an IDS rather than a firewall. But on the whole, a process with the privilege to install would also have the privilege to disable the firewall, so it is doubtful whether a personal firewall is of much use to a root user. It is far more There's also the point that egress filtering and monitoring executable signatures doesn't catch malware that communicates with the outside world via standard system apps / utilities using standard ports, e.g. wget or even ssh. Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
Am 2007-08-15 23:07:22, schrieb Paweł Krzywicki: Yes, but not everyone is able to make one... There is a lot of people who are using Debian only as a workstation to create for example some OO documents, and they really dont need to know what iptables is or some other packages involved in security issues... I use Debian since Slink and have never installed a firewall or ipfwadm/ipchains/iptables on my workstations and laptops. Even my embedded systems which are 100% exploited to the Internet have no one. I was never hacked in the last 8 1/2 years. My main server (Sun Blade) in Paris is connected over a Dual STM-4 to the Internet without router, firewall and iptables installed. It run since december 1999 without being hacked. I will say, if you realy NEED a firewall or iptables, then you have opened your workstation/server your own and you know what you do. I do not like to get useless software installed on every system I install. Thanks, Greetings and nice Day Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSN LinuxMichi 0033/6/6192519367100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: secure installation
Am 2007-08-15 22:47:12, schrieb Pat: 1) What if someone (and I am sure it happens more often than you may realize) who is clueless about computers decides to download Debian, installs it, get hacked, trojaned horsed, their credit cards numbers stolen, etc. How can this happen? I was never hacked since 1999-03... It is called responsibility, and we cannot blame it on them for knowing nothing, we can't all be computer security experts. In addition you have the option within lokkit to select no firewall if that is what you really want, so it seem to leave freedon of choice as to how to use your computer enabled, along with the option to uninstall it completely. A firewall is useless on a Debian-Standard-System, WHERE $NOOB will install a simple workststion to write OO docs and surf the web. 2) rp_filter provides protection against ip address spoofing which most machines not otherwise protected by a firewall need. again, you would have the same option to turn if off if you feel you do not need the protection. Oh yes, I can turn it of by over 2900 Installations I maintain... And then I have a Admin-Friend in an WW-Enterprise which maintain with his colegues over 27.000 Machines... rp_filters can be deaktivated on all machines... I know spome peooples on ther Debian-Lists which are working in enter- prises with more then tose machines... and I am sure, there are more server installations worldwide the workststions... (DEBIAN of course) 3) All I have installed is the base package, Xwindows, and a desktop. Which does not need a firewall and iptables, IF you have not modified the System by hand... which is only possibel if you know what you do. Thanks, Greetings and nice Day Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 50, rue de Soultz MSN LinuxMichi 0033/6/6192519367100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: secure installation
Quoting Michelle Konzack ([EMAIL PROTECTED]): How can this happen? I was never hacked since 1999-03... One way: Break-in without Remote Exploit on http://linuxmafia.com/kb/Security (***cough*** shells.sourceforge.net ***cough***) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Thu, Aug 16, 2007 at 03:42:07PM -0700, Russ Allbery wrote: R. W. Rodolico [EMAIL PROTECTED] writes: At this point, I disagree. Unfortunately, I have to point to some of the user oriented firewalls you get for windoze (which, to my knowledge, Linux does not have). When they are installed, the shut down basically everything incoming, and all but a few standard outgoing ports (http, smtp, pop and imap). When an application tries to go out of another port, a pop-up informs the user and they can choose to accept, accept or reject, with a forever modifier on both, and the firewall changes its rules appropriately. For un-informed users, this is a good thing. Well, I certainly disagree that the pop-up prompts are at all useful or offer any real security. Time and time again, studies of user interaction with security software have shown that this sort of security interaction is essentially useless. The only thing here that offers any real security protection is the default denial of all incoming traffic. And that just returns to my previous point, which is that the best and safest way to do that is to not listen to network traffic in the first place, rather than installing some daemon that listens to network traffic and then turning it off with a firewall. It's making the decision in the wrong place, and it's simply sloppy security thinking. that depends. perhaps, if you are going to make potential network servers that could also have a local use install listening on the loopback only. so mysql would install listening to the loopback only. perhaps an ftp server might be a reasonable example of something that could install as listening on the network. and if you're going to make it so that clicking on Home Desktop or whatever the option is in tasksel still results in an install that doesn't listen to the network, then that is at least consistent. Appealing to the fact that a minimal install has nothing listening on a network port when a typical desktop install will drag in at least avahi ... But really, networks are pervasive and unavoidable. We have to get past this 80s-style, TSEC-style, black white way of approaching networks and come up with something practical. networks are what people have computers for these days. air gaps are the exception. Do ordinary folk really *need* to grok rp_filter ? Regards, Paddy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Thu, 16 Aug 2007 18:21:59 -0500 (CDT) R. W. Rodolico [EMAIL PROTECTED] wrote: [snip] Firewalls are for a stupidity shield. I had a situation where I was cracked on one of my servers a few years ago. It was totally my fault; I had a user I had mistakingly set up as an authorized ssh user who shouldn't have been. Their account was cracked, then the cracker got root access and installed a daemon that was ready to attack another server. Just curious; anyone can forget a user account, but how did the attacker get root? R. W. Rod Rodolico Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Thu, 16 Aug 2007 16:49:36 -0700 Russ Allbery [EMAIL PROTECTED] wrote: [snip] Firewalls are good in the situation where, whenever you open up new network access, you want to have to make that choice independently in multiple locations. I'm dubious that this matches the desires of the average user or that forcing them to do this will really result in more security as opposed to further training to just always click Okay. It's great for administrators who want paranoid control over such things. I'm no security expert, but I would suggest that a benefit of 'Personal' firewalls is the provision of a simple, systematic way of restricting access to services. Yes, many apps offer some way of doing this, but remembering each one's different method of doing this can be a headache. I suppose one really should, for maximum security, but I think there's still benefit in a simpler, consistent system. Additionally, not all apps do this the same way; for example, sshd can be configured to bind to a specific IP address, but what if the address is unknowable in advance? Can it be limited to a specific interface, as can be accomplished with a firewall? Even if the answer is yes, my point about simplicity remains. I may be off base here; I'm just expressing my (limited) understanding of the issue. Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Thu, 16 Aug 2007 17:11:54 -0700 Rick Moen [EMAIL PROTECTED] wrote: [snip] My perspective is influenced by the fact that all attempts to help debug Linux networking failures have to start with What does /sbin/iptables L, run as root, say? and What's in /etc/hosts.allow and /etc/hosts.deny? -- because people shooting at their pedal extremities with those, without any idea what they're doing, is a leading cause of networking problems. grin I wish I had a dollar for every time that a frustrating connectivity failure on my network turned out to be due to renaming or adding an interface or something similar and neglecting to reconfigure shorewall ... Cheers, English is essentially Plattdeutsch as spoken Rick Moenby a Frisian pretending to be French. Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
Celejar [EMAIL PROTECTED] writes: Just curious; anyone can forget a user account, but how did the attacker get root? There are a *lot* more privilege escalation attacks than there are remote exploits. Just in the Linux kernel, a new one seems to show up every six months or so. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
Quoting Russ Allbery ([EMAIL PROTECTED]): Celejar [EMAIL PROTECTED] writes: Just curious; anyone can forget a user account, but how did the attacker get root? There are a *lot* more privilege escalation attacks than there are remote exploits. Just in the Linux kernel, a new one seems to show up every six months or so. Moen's First Law of Security (It's easier to break in from the inside. http://linuxmafia.com/~rick/lexicon.html#moenslaw-security1 It's always worthwhile to audit one's system (on an _ongoing_ basis, as Russ suggests) for local weaknesses that allow privilege escalation, and especially for the ones that make it _easy_. It's a fact that most people's machines are cracked by canned 'sploits run via automated scripts by kiddies who don't even understand their tools -- which is a pretty ignominious thing to happen. Don't let it happen to you. And this is _another_ reason why a properly targeted file-based IDS is a really capital idea -- as is alertness about what is and is not aberrant system behaviour. I can even make this point in a Debian-relevant way. All hail to the Debian Project's sysadmins, who in November 2003 showed everyone how to do it right: http://linuxgazette.net/issue98/moen.html -- Cheers,English is essentially a text parser's way of getting Rick Moen faster processors built. [EMAIL PROTECTED]-- John M. Ford, http://ccil.org/~cowan/essential.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
Pat wrote: I apologize if I have offended anyone with my responses. My initial post was one mentioning what I saw to be a problem in an attempt to help the community at large but some persons took offense. I don't think so. This is merely a lively discussion. A bit of philosophy which can be sneaked past the netcops as being on-topic breaks the monotony of problem-solving. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
Pat wrote: Whose responsibility is it, in the US if you manufacture a defective product legally it is your responsibility if someone is harmed. There's a bit of a difference between a defective product and one incorrectly used. When a driver knocks down a pedestrian, should the car manufacturer be the party that gets prosecuted? Johannes Wiedersich wrote: Debian is behaving way more responsible in any respect than commercial vendors, so your 'complaint' is wholly besides the point. Debian protects you better from the perils of the internet than the big commercial OS. Period. That's not exactly saying a lot, is it? 'Better than Windows'. It needs to be a *lot* better than Windows. A few points I think should be mentioned that have not yet been: Egress filtering in Windows personal firewalls, and finally built into Vista, is there in response to spyware. This is not yet a Linux problem, and is never likely to be as severe, but it will happen when children start using Linux in significant numbers. These firewalls also tend to monitor the originating executable, and warn the user when its signature changes, something we would normally associate with an IDS rather than a firewall. But on the whole, a process with the privilege to install would also have the privilege to disable the firewall, so it is doubtful whether a personal firewall is of much use to a root user. It is far more important to discourage root use, which most 'consumer' Linux distributions do fairly well. Again, Vista finally does this, and unlike XP is usable by a computer owner who runs unprivileged. There's a lot in XP that can't be done outside a root logon. Secondly, most consumer Internet users today use broadband, and the vast majority of recent equipment has an SPI firewall. This pretty much protects the user's computer against the kind of direct attack that a personal firewall would be expected to repel. The point has been made that networking is now normal outside universities, but what was not mentioned was that practical networking *requires* services to listen to the network which are practically indefensible. Whether Samba or NFS, nobody would consider sharing files over the Net, yet this is the primary purpose of a private network. Such a network *must* have a bastion firewall, but whether individual firewalls with the required serious holes in them provide additional security is questionable. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
Rick Moen [EMAIL PROTECTED] writes: And this is _another_ reason why a properly targeted file-based IDS is a really capital idea -- as is alertness about what is and is not aberrant system behaviour. I can even make this point in a Debian-relevant way. All hail to the Debian Project's sysadmins, who in November 2003 showed everyone how to do it right: http://linuxgazette.net/issue98/moen.html Yup. IDS systems are wonderful. But they do require discipline. I've seen a depressing number of people deploy an IDS and then never bother to update the database. When you have 1MB of changes reported every day that you've trained yourself to ignore, you're just wasting CPU. That's really the take-home point with all of these discussions. There are a lot of great security tools available if you're paying attention and really think about what you're doing, clear anomalies, and make sure that everything they report really *is* unusual. If you don't do those things, and most unskilled users won't, then it's all about the defaults. If the defaults don't get it right, it's pretty much a lost cause. This is, for example, one of the reasons why I think Debian's logcheck package is such a good idea. It scans your system logs and mails you anomalies, and *lots of Debian developers use it and submit patches to filter out all the expected output*. The latter is vital. Because clued Debian users and developers keep the rule set up to date, it's actually usable for someone who doesn't know what they're doing since the reports aren't full of noise that isn't actually a problem. (It could, of course, be better, but I think it's quite good already.) Of course, even a good log checking program isn't as good as an IDS with a database in secure media (I personally use network file systems with strong ACLs requiring separate authentication; it's not ideal, but it requires a sophisticated attacker to compromise) since many attackers immediately wipe out the logs. logcheck is probably more useful for catching hardware failure than for catching security, although it can pick up security-related problems (such as piles of ssh password cracking attempts that remind you that you forgot to add an iptables rule for ssh). -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
Quoting Russ Allbery ([EMAIL PROTECTED]): Yup. IDS systems are wonderful. But they do require discipline. Indeed. I'd still like to see a trial project, to see _if_ a default IDS setup (Samhain, AIDE, or Prelude-IDS) can be made to be generally useful. (Yeah, I know: Sooner if you help.) That's really the take-home point with all of these discussions. There are a lot of great security tools available if you're paying attention and really think about what you're doing, clear anomalies, and make sure that everything they report really *is* unusual. One of the take-home lessons of my (referenced) article about the 2003 server compromise is that the Debian Project sysadmins caught it promptly _mostly_ because they reasoned that simultaneous kernel oopses across multiple hosts were too suspicious to ignore. The nightly report from AIDE, later, merely confirmed what they already knew. This is, for example, one of the reasons why I think Debian's logcheck package is such a good idea. Agreed. -- Zees American words are too much. Zen our culture you'll wrench; With 'le parking' 'le weekend' such. Wiz our children we'll be out of touch. Eef you anglicize French,-- L'Academie Francaise in a nutshell -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Secure Installation
On Thursday 16 August 2007 15:09, R. W. Rodolico wrote: Unfortunately, I have to point to some of the user oriented firewalls you get for windoze (which, to my knowledge, Linux does not have). When they are installed, the shut down basically everything incoming, and all but a few standard outgoing ports (http, smtp, pop and imap). When an application tries to go out of another port, a pop-up informs the user and they can choose to accept, accept or reject, with a forever modifier on both, and the firewall changes its rules appropriately. The problem with these lies on 2 levels. The first is that all network traffic would have to somehow be routed through this application, which in windows is no big deal as all that is already in place. But we haven't installed that infrastructure, so it would be tougher to get that running in the first place. This is not a primary concern regarding the firewall, but it is an issue if we do eventually decide to integrate a firewall like that. The second problem is what I pointed out earlier about Microsoft's firewall -- users are pacified by it. If it's there, they get the message, they have ok, and cancel, what does the average user do? The average user assumes the firewall will protect them no matter what they do, so they click the ok button and get on with what they are doing. The greatest security hole in any system is the user. You can plug every other hole there is, and still have break-ins because users haven't been trained properly. There is no way to secure a system used by uninformed users. A firewall is only one more thing the user can foul up. Linux (and debian especially) is inherently more secure than windows in one regard, firewall or not: we can all contribute to it. The only people contributing anything to windows are either microsoft, contributing bugs; or proprietary software companies, contributing proprietary software. This made a sink-hole where the user really doesn't know what's going on in the background, can't find out, and can't fix it even if they could find out. What more could the programmer of a trojan horse (IMO a bigger threat than anything a firewall will protect us from) ask for, than a user who completely trusts binary-only distributions? We're sitting here discussing specific ways debian operates and how we can fix it. Who can do that in windows? That in itself makes debian more secure. -- Sincerely, Jack [EMAIL PROTECTED] My GPG Public Key can be found at: https://www.theanythingbox.com/pgp.htm (top link is current) I appreciate signatures, but if you only know me online, please use the --lsign-key, not the --sign-key. I appreciate trust -- but too much makes it less valuable. pgplqBVm9g0Bs.pgp Description: PGP signature
Re: secure installation
Of course is a little bit of philosophy. The whole Debian project is based on a philosophy of freedom vs rampant marketing and corporate only dominated computing experience. Granted that many take advantage of this and make money they would not make if using other for profit OS's. The original poster wants to impose the philosophy of the dominating marketing forces on the average person. Then we are doomed with all due respects. I do not want to sound nietzschean --which I am not. But average is not going to make it. Read and think my friend. What community are you trying to help anyway? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- -JM. Estos días azules y este sol de la infancia.(Antonio Machado-1939) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On 8/15/07, Pat [EMAIL PROTECTED] wrote: 1) What if someone (and I am sure it happens more often than you may realize) who is clueless about computers decides to download Debian, installs it, get hacked, trojaned horsed, their credit cards numbers stolen, etc. It is called responsibility, and we cannot blame it on them for knowing nothing, we can't all be computer security experts. In addition you have the option within lokkit to select no firewall if that is what you really want, so it seem to leave freedon of choice as to how to use your computer enabled, along with the option to uninstall it completely. But who is the ultimate responsible party? The clueless computer user that tries to use some 'new fancy operating system' or the volunteer developer of that system? Put your own political opinion onto that question - rhetorically. No, if someone WANTS to use lokkit, then they certainly can, yes? Am I assuming enough that they can 'apt-get install lokkit' and then configure it? Make up a web page on how _you_ think you should harden a Debian install with Lokkit as the cornerstone of your how-to and post it. As several others have pointed out, and as we have seen in the world of more popular operating systems from Redmond, installing a Firewall that defaults 'on' provides you no real extra protection if you don't know what in the hell you're doing with it. (You are coming to a sad realization, cancel or allow?). AFAIAC, if some clueless person installs an operating system they don't know and get themselves into some trouble, it's THEIR fault. It's not Debian's fault, it's not Linus' fault, it's not Deb or Ian's fault. It's not the kernel developer, it's not the CD distributor, it's not the mirror host. You're responsible for your own stupidity when it comes to linux, I think that's a well established aspect of the community already; for good or ill. Very few Linux experts suffer fools elegantly. If someone is looking for a more stupid proof distro, perhaps Ubuntu or SUSE would serve them better. Let's not dumb down Debian for the rest of the world because a clueless user _might_ compromise their own credit card numbers. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Wed, Aug 15, 2007 at 10:47:12PM -0500, Pat wrote: 1) What if someone (and I am sure it happens more often than you may realize) who is clueless about computers decides to download Debian, installs it, get hacked, trojaned horsed, their credit cards numbers stolen, etc. On common workstation there is no need for firewall. Firewall is advanced tool, if user is not able to configure it, then (s)he probably doesn't need it. And if there is no firewall (or other hand-crafted protective measures), then there is no need for rp_filter. So on common workstation there is no need for rp_filter too. -- Elen sila lumenn' omentielvo Ondrej 'SanTiago' Zajicek (email: [EMAIL PROTECTED], jabber: [EMAIL PROTECTED]) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) To err is human -- to blame it on a computer is even more so. signature.asc Description: Digital signature
Re: secure installation
On Thu, Aug 16, 2007 at 06:38:32AM -0400, John Keimel wrote: Let's not dumb down Debian for the rest of the world ... agreed that defaults are important and should be appropriately set. what can be done to improve the chances of users ending up with appropriate settings ? would it help to have a task style package that could set a range of such options ? Regards, Paddy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On 8/16/07, Ondrej Zajicek [EMAIL PROTECTED] wrote: And if there is no firewall (or other hand-crafted protective measures), then there is no need for rp_filter. So on common workstation there is no need for rp_filter too. I also don't see why you need rp_filter on a workstation. A workstation generally has a single default gateway that routes incoming and outgoing traffic. Since the netmask is 0.0.0.0, absolutely any packet is allowed to come from there, so enabling rp_filter would do absolutely nothing. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Thu, Aug 16, 2007 at 01:59:03PM +0200, Izak Burger wrote: On 8/16/07, Ondrej Zajicek [EMAIL PROTECTED] wrote: And if there is no firewall (or other hand-crafted protective measures), then there is no need for rp_filter. So on common workstation there is no need for rp_filter too. I also don't see why you need rp_filter on a workstation. A workstation generally has a single default gateway that routes incoming and outgoing traffic. Since the netmask is 0.0.0.0, absolutely any packet is allowed to come from there, so enabling rp_filter would do absolutely nothing. does it not cover the case of packets arriving at eth0 spoofed as from 127.0.0.1 ? what would be a easy way to test that ? Regards, Paddy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: secure installation
The correct answer for the better of all now/future Debian users is to not put a gun in the hands of a child. For those mental midgets that are willing to put their CC info on a box that they have no clue about then they deserve to have their identity stolen. Debian does NOT need any improvements to make it 'safer' for the ignorant. Instead put that effort to make it 'safer' for those who use it to make life better for others. It is an excellent OS that gives the installer an opportunity to build it 'right' for that installation purpose. If I choose to not install iptables (duh) then that stupidity would be mine and mine alone. Nor do I want someone else's idea of 'safe' being shoved on me. My 2 cents, Robert From: [EMAIL PROTECTED] On Thu, Aug 16, 2007 at 06:38:32AM -0400, John Keimel wrote: Let's not dumb down Debian for the rest of the world ... agreed that defaults are important and should be appropriately set. what can be done to improve the chances of users ending up with appropriate settings ? would it help to have a task style package that could set a range of such options ? Regards, Paddy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Thu, Aug 16, 2007 at 02:54:16PM +0200, Izak Burger wrote: does it not cover the case of packets arriving at eth0 spoofed as from 127.0.0.1 ? Right you are, that slipped my mind. I asked because I don't remember and I really can't be bothered to check. These things are tricky and life is short. I seem to recall that earlier versions of debian had rp_filter default to 1 (I see sarge still has this, you set spoofprotect=yes in /etc/network/options, and afaik it defaults to yes). I agree with the rest of the sentiment on the list though. I like lean installs. I like to use a product called firehol to build my (admittedly very simple) firewalls, but I will never advocate that it be installed by default. I'd absolutely hate it if someone forced me to install shorewall because they think I need to be protected from myself. I think that is what most people are trying to say. All I'm saying is, would it be possible to have a single simple option that users could *elect* to take, that wasn't the default, that wasn't bending anyones life out of shape, marked Novice User or something :-) Regards, Paddy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
[EMAIL PROTECTED] un jour écrivit: All I'm saying is, would it be possible to have a single simple option that users could *elect* to take, that wasn't the default, that wasn't bending anyones life out of shape, marked Novice User or something :-) A question during the Debian installation about installing a firewall that default to no? Yes, that would be possible. But I am not sure I would want to put that for a novice user. What I see comming, is many more newbies users complaining on the mailling lists that application xyz doesn't work properly. Example, they downloaded bittorent (instead of just installing one of the existing Debian package), and then complain that It doesn't work. We all agree that having a firewall is a good line of defense, but the most important is not having unneeded services listening to the net, and that the code of the software doing network interaction be secure. A computer that is secure, should be secure regardless of the presence of a firewall. Otherwise, It will simply give you a false sense of security, which is worst. I never used lokkit, but I guess It would need to be reconfigured everytime someone install a software that use the net, because a real novice user will not think about reconfiguring his firewall when needed, and know even less which ports needs to be opened. So installing by default a firewall for new user will probably creates more problems than It will solve, and not makes the computer significantly more secure (many trojan will use port 80 or 21 anyway). But adding the option to install a firewall in the expert mode makes sense to me. Simon Valiquette -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Wed, Aug 15, 2007 at 09:34:19PM -0700, Russ Allbery wrote: A default install should simply not listen to the network, at which point a firewall is pointless complexity. I believe portmap is already listening only to localhost and inetd doesn't run if there are no services enabled. Even if the default installation is secure in this sense, there are other packages in Debian that propose easy use to novice users but open up your computer quite a bit. For example just the additional selection of KDE gets you a running avahi daemon. Inexperienced users may not even notice that they put their system at a risk. It's certainly a bad idea to force something onto users they may not understand. But if a user installs a debian package that lowers his systems security there should be a big warning in the installer. -- Michel Messerschmidt [EMAIL PROTECTED] signature.asc Description: Digital signature
Re: secure installation
Well, considering there are those of us who want to see linux become an operating system for the average person, and I do believe this is the ultimate goal of many linux communities. Whose responsibility is it, in the US if you manufacture a defective product legally it is your responsibility if someone is harmed. Also, if you fail to provide warning labels to protect persons who do not know any better it is again your responsibility. I will leave my personal beliefs out of the discussion. There are many things in the world you would be clueless about that great lengths are gone to to protect You from. hazardous chemicals, collasped bridges to name a few. installing a Firewall that defaults 'on' provides you no real extra protection if you don't know what in the hell you're doing with it. (You are coming to a sad realization, cancel or allow?). Every little bit helps. Let's not dumb down Debian for the rest of the world because a clueless user _might_ compromise their own credit card numbers. I said absolutely nothing about dumbing down Debian, I said the operating system should install a little more securely by default. On 8/16/07, John Keimel [EMAIL PROTECTED] wrote: On 8/15/07, Pat [EMAIL PROTECTED] wrote: 1) What if someone (and I am sure it happens more often than you may realize) who is clueless about computers decides to download Debian, installs it, get hacked, trojaned horsed, their credit cards numbers stolen, etc. It is called responsibility, and we cannot blame it on them for knowing nothing, we can't all be computer security experts. In addition you have the option within lokkit to select no firewall if that is what you really want, so it seem to leave freedon of choice as to how to use your computer enabled, along with the option to uninstall it completely. But who is the ultimate responsible party? The clueless computer user that tries to use some 'new fancy operating system' or the volunteer developer of that system? Put your own political opinion onto that question - rhetorically. No, if someone WANTS to use lokkit, then they certainly can, yes? Am I assuming enough that they can 'apt-get install lokkit' and then configure it? Make up a web page on how _you_ think you should harden a Debian install with Lokkit as the cornerstone of your how-to and post it. As several others have pointed out, and as we have seen in the world of more popular operating systems from Redmond, installing a Firewall that defaults 'on' provides you no real extra protection if you don't know what in the hell you're doing with it. (You are coming to a sad realization, cancel or allow?). AFAIAC, if some clueless person installs an operating system they don't know and get themselves into some trouble, it's THEIR fault. It's not Debian's fault, it's not Linus' fault, it's not Deb or Ian's fault. It's not the kernel developer, it's not the CD distributor, it's not the mirror host. You're responsible for your own stupidity when it comes to linux, I think that's a well established aspect of the community already; for good or ill. Very few Linux experts suffer fools elegantly. If someone is looking for a more stupid proof distro, perhaps Ubuntu or SUSE would serve them better. Let's not dumb down Debian for the rest of the world because a clueless user _might_ compromise their own credit card numbers. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
So, if we all adopt your attitiude toward everything, then people would go for a walk in the park and get sprayed with deadly insecticide by pest control people, or drive down the road and run off a bridge that was collassped which no one bothered to barricade. But who is the ultimate responsible party? The clueless computer user that tries to use some 'new fancy operating system' or the volunteer developer of that system? Put your own political opinion onto that question - rhetorically. No, if someone WANTS to use lokkit, then they certainly can, yes? Am I assuming enough that they can 'apt-get install lokkit' and then configure it? Make up a web page on how _you_ think you should harden a Debian install with Lokkit as the cornerstone of your how-to and post it. As several others have pointed out, and as we have seen in the world of more popular operating systems from Redmond, installing a Firewall that defaults 'on' provides you no real extra protection if you don't know what in the hell you're doing with it. (You are coming to a sad realization, cancel or allow?). AFAIAC, if some clueless person installs an operating system they don't know and get themselves into some trouble, it's THEIR fault. It's not Debian's fault, it's not Linus' fault, it's not Deb or Ian's fault. It's not the kernel developer, it's not the CD distributor, it's not the mirror host. You're responsible for your own stupidity when it comes to linux, I think that's a well established aspect of the community already; for good or ill. Very few Linux experts suffer fools elegantly. If someone is looking for a more stupid proof distro, perhaps Ubuntu or SUSE would serve them better. Let's not dumb down Debian for the rest of the world because a clueless user _might_ compromise their own credit card numbers. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Thu, Aug 16, 2007 at 07:45:06PM +0200, Michel Messerschmidt wrote: up your computer quite a bit. For example just the additional selection of KDE gets you a running avahi daemon. but that's the responsibility of the respective mainainer(s) Inexperienced users may not even notice that they put their system at a risk. It's certainly a bad idea to force something onto users they may not understand. exactly, so don't force a firewall on them! But if a user installs a debian package that lowers his systems security there should be a big warning in the installer. agree, something like debconf: Are you shure you want this service running? This opens port bla on your network interface! NO yes cheers --Jan signature.asc Description: Digital signature
Re: secure installation
On Wed, 15 Aug 2007 14:23:06 -0500 Pat [EMAIL PROTECTED] wrote: [snip] 3) Do we really need portmap, inetd, or nfs running by default on our workstations? http://taosecurity.blogspot.com/2006/01/default-services-in-debian-this.html See section 12.1.14.1 - 3 here: http://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html Celejar -- mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
On Distro to rule them all (was: secure installation)
Why not add 3 deb packages (deb-user, deb-workstation, deb-server) and prompt the user during install for which style box they are setting up. Then the selected package could have (or not have) necessary dependencies for the system style. For instance, deb-user could depend on lokkit as well as disable inted boot scripts. This would make it easier for lusers while still not pushing stuff onto experienced Debiani. -Jim P. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Thursday 16 August 2007 05:09, Robert Van Nostrand wrote: The correct answer for the better of all now/future Debian users is to not put a gun in the hands of a child. For those mental midgets that are willing to put their CC info on a box that they have no clue about then they deserve to have their identity stolen. I agree with most of your sentiment: Debian isn't for the first-time linux user, generally. It's easier to break, harder to install, but the reward is that you get a much more powerful system. But does lack of information make anyone deserve identity theft? I don't think anyone deserves to have their identity stolen, because to deserve something bad you had to have done something bad. Being ignorant about debian isn't a bad thing. We all were once, and if everyone came at us with that attitude, would we have learned? I doubt it. My point is, that to debate if a firewall should be in the installer may circle around practical points, more/less how many people use a firewall or what benefit would a firewall have? But nobody should be pointing fingers. My personal view is that there are plenty of simpler distributions out there, knoppix for first-time users, Ubuntu/Suse for novices, and RedHat for people who need hand-holding. Debian is primarily for advanced users, and for users who have someone looking over their shoulder. We shouldn't over-simplify debian so that users not in it's target audience can use it. Putting a firewall in debian by default is also somewhat similar to Microsoft's attempts to pacify everyone: When windows' virus problem became worrisome to the average user, Microsoft added a firewall to their installation, to try to make users think that Windows was safe now. What happened? Well, security went down the toilet. Users thought they were safe without doing anything, so they didn't do anything. Microsoft succeeded at pacifying everyone, and so shot themselves in the other foot (the first foot is being so forceful and monopolizing the industry). I don't think a firewall by default is even a safe idea, just for that reason: Users who don't really know what it is, but hear it makes me safe, will assume that it protects them from everything without them doing anything. -- Sincerely, Jack [EMAIL PROTECTED] My GPG Public Key can be found at: https://www.theanythingbox.com/pgp.htm (top link is current) I appreciate signatures, but if you only know me online, please use the --lsign-key, not the --sign-key. I appreciate trust -- but too much makes it less valuable. pgpWODb32Z3hq.pgp Description: PGP signature
Re: secure installation
I apologize if I have offended anyone with my responses. My initial post was one mentioning what I saw to be a problem in an attempt to help the community at large but some persons took offense. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
I've been watching this thread for a while and decided to post my two cents. For my use, Debian is two things; a kick butt server and the basis for other distro's that make pretty good workstations. I have tried Debian as a workstation before and just never gotten a warm fuzzy (though it has been a while). However, I'm also the one that will argue all day long about why Debian is the only server that should ever be used. As such, I want miminum junk installed on my servers. I know enough to know what apps I need for a particular job, and for some of that even the base install is too much. Adding a firewall that someone else chose is just one more thing to do to get my servers up and running. For workstations, I tend to use Kubuntu. On that, yes, I want a firewall, and since I recommend it to anyone who asks (and even have my sales staff using it), a default firewall is a Good Thing. But, for Debian, I just want the packages necessary to get the server up long enough so I can do an apt-get install joe, then I can get to work. Rod -- R. W. Rod Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 214.827.2170 This is a private e-mail address for use only by clients of Daily Data. Please do not forward or give out this e-mail address to anyone. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
R. W. Rodolico [EMAIL PROTECTED] writes: For workstations, I tend to use Kubuntu. On that, yes, I want a firewall, and since I recommend it to anyone who asks (and even have my sales staff using it), a default firewall is a Good Thing. The part that concerns me about installing a firewall by default is that people seem to put irrational trust in a firewall and use it as an excuse to not address other security issues. The *best* thing to do is to design secure services that either don't randomly listen to the network or that deal with network traffic in a secure fashion, and I'd really like to maintain Debian's emphasis there. Installing a firewall, which often does little or nothing, strikes me as cargo cult security, and cargo cult security can be worse than useless. A well-designed and reviewed set of iptables rules provides additional defense in depth and we do deploy iptables on all of our servers and manage those rules as part of their Puppet model, but it's not something that you can tell an average user to just apt-get install and have work in a way that offers any real security, IMO. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On 8/16/07, Jack T Mudge III [EMAIL PROTECTED] wrote: My personal view is that there are plenty of simpler distributions out there, knoppix for first-time users, Ubuntu/Suse for novices, and RedHat for people who need hand-holding. Debian is primarily for advanced users, and for users who have someone looking over their shoulder. We shouldn't over-simplify debian so that users not in it's target audience can use it. I like your viewpoint. I was just trying to remember exactly what is open to the world on a brand new ubuntu installation, but I haven't done a new install in a while so this is up to memory. I know there is no MTA. There is also no sshd or portmap. Not even an inetd. It will however respond if you ping it. Now THAT is the sort of thing I like. Secure out of the box. I think the answer is to not make Debian into something that ubuntu already is, that is, linux for human beings :-) Of course that doesn't mean someone won't find a way to shoot themselves in the foot... thank goodness we don't get sued on this continent (Africa) every time that happens. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Thu, August 16, 2007 16:56, Russ Allbery wrote: R. W. Rodolico [EMAIL PROTECTED] writes: For workstations, I tend to use Kubuntu. On that, yes, I want a firewall, and since I recommend it to anyone who asks (and even have my sales staff using it), a default firewall is a Good Thing. The part that concerns me about installing a firewall by default is that people seem to put irrational trust in a firewall and use it as an excuse to not address other security issues. The *best* thing to do is to design secure services that either don't randomly listen to the network or that deal with network traffic in a secure fashion, and I'd really like to maintain Debian's emphasis there. Installing a firewall, which often does little or nothing, strikes me as cargo cult security, and cargo cult security can be worse than useless. A well-designed and reviewed set of iptables rules provides additional defense in depth and we do deploy iptables on all of our servers and manage those rules as part of their Puppet model, but it's not something that you can tell an average user to just apt-get install and have work in a way that offers any real security, IMO. At this point, I disagree. Unfortunately, I have to point to some of the user oriented firewalls you get for windoze (which, to my knowledge, Linux does not have). When they are installed, the shut down basically everything incoming, and all but a few standard outgoing ports (http, smtp, pop and imap). When an application tries to go out of another port, a pop-up informs the user and they can choose to accept, accept or reject, with a forever modifier on both, and the firewall changes its rules appropriately. For un-informed users, this is a good thing. It is by no means perfect, but it is just one more level between the un-informed user and the big bad world that is the 'net. But, even without the interaction of some of the Windows firewalls, just installing one of the firewall builders available on the workstation distro's at least gives them some protection. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- R. W. Rod Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 214.827.2170 This is a private e-mail address for use only by clients of Daily Data. Please do not forward or give out this e-mail address to anyone. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
R. W. Rodolico [EMAIL PROTECTED] writes: At this point, I disagree. Unfortunately, I have to point to some of the user oriented firewalls you get for windoze (which, to my knowledge, Linux does not have). When they are installed, the shut down basically everything incoming, and all but a few standard outgoing ports (http, smtp, pop and imap). When an application tries to go out of another port, a pop-up informs the user and they can choose to accept, accept or reject, with a forever modifier on both, and the firewall changes its rules appropriately. For un-informed users, this is a good thing. Well, I certainly disagree that the pop-up prompts are at all useful or offer any real security. Time and time again, studies of user interaction with security software have shown that this sort of security interaction is essentially useless. The only thing here that offers any real security protection is the default denial of all incoming traffic. And that just returns to my previous point, which is that the best and safest way to do that is to not listen to network traffic in the first place, rather than installing some daemon that listens to network traffic and then turning it off with a firewall. It's making the decision in the wrong place, and it's simply sloppy security thinking. But, even without the interaction of some of the Windows firewalls, just installing one of the firewall builders available on the workstation distro's at least gives them some protection. No, it doesn't. What offers *real* protection is the fact that both Debian and Ubuntu don't run services that listen to the network on a default installation. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Thu, August 16, 2007 17:42, Russ Allbery wrote: R. W. Rodolico [EMAIL PROTECTED] writes: At this point, I disagree. Unfortunately, I have to point to some of the user oriented firewalls you get for windoze (which, to my knowledge, Linux does not have). When they are installed, the shut down basically everything incoming, and all but a few standard outgoing ports (http, smtp, pop and imap). When an application tries to go out of another port, a pop-up informs the user and they can choose to accept, accept or reject, with a forever modifier on both, and the firewall changes its rules appropriately. For un-informed users, this is a good thing. Well, I certainly disagree that the pop-up prompts are at all useful or offer any real security. Time and time again, studies of user interaction with security software have shown that this sort of security interaction is essentially useless. I realize many users just press the ok button and go on with it. I have no hope for them, but for the users who might actually understand what is going on. I just think for the normal user, this is more realistic than viewing log files. The only thing here that offers any real security protection is the default denial of all incoming traffic. And that just returns to my previous point, which is that the best and safest way to do that is to not listen to network traffic in the first place, rather than installing some daemon that listens to network traffic and then turning it off with a firewall. It's making the decision in the wrong place, and it's simply sloppy security thinking. But, even without the interaction of some of the Windows firewalls, just installing one of the firewall builders available on the workstation distro's at least gives them some protection. No, it doesn't. What offers *real* protection is the fact that both Debian and Ubuntu don't run services that listen to the network on a default installation. Actually, you and I do agree completely on this. First thing I do on a Debian install is shut down tons of services that Debian installs by default. I understand the reasoning behind it, just don't agree with that reasoning. And, I checked out Kubuntu and was pleased that it did not install these (apparently). Firewalls are for a stupidity shield. I had a situation where I was cracked on one of my servers a few years ago. It was totally my fault; I had a user I had mistakingly set up as an authorized ssh user who shouldn't have been. Their account was cracked, then the cracker got root access and installed a daemon that was ready to attack another server. My firewall gave one yelp, the cracker realized what was going on and told the firewall to shut up, basically. However, I got that one yelp from the firewall, investigated, and fixed the issue. A firewall is not, by any stretch of the imagination, the security for a server. Security for a server is, as you say, not running services that are not necessary. However, a firewall is for people like me, who make mistakes and, in so doing, create a security problem. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- R. W. Rod Rodolico Daily Data, Inc. POB 140465 Dallas TX 75214-0465 214.827.2170 This is a private e-mail address for use only by clients of Daily Data. Please do not forward or give out this e-mail address to anyone. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
R. W. Rodolico [EMAIL PROTECTED] writes: Firewalls are for a stupidity shield. I had a situation where I was cracked on one of my servers a few years ago. It was totally my fault; I had a user I had mistakingly set up as an authorized ssh user who shouldn't have been. Their account was cracked, then the cracker got root access and installed a daemon that was ready to attack another server. My firewall gave one yelp, the cracker realized what was going on and told the firewall to shut up, basically. However, I got that one yelp from the firewall, investigated, and fixed the issue. A firewall is not, by any stretch of the imagination, the security for a server. Security for a server is, as you say, not running services that are not necessary. However, a firewall is for people like me, who make mistakes and, in so doing, create a security problem. I definitely agree that firewalls are good for defense in depth. Where I'm disagreeing is primarily over the idea that the average user is going to find this helpful. Most users are not going to be sufficiently paranoid to pay attention to that single yelp from the firewall, for instance, and if you do crank up notification to the point where they see such things, they end up complaining about legitimate traffic because they don't understand what any of it means. Firewalls are good in the situation where, whenever you open up new network access, you want to have to make that choice independently in multiple locations. I'm dubious that this matches the desires of the average user or that forcing them to do this will really result in more security as opposed to further training to just always click Okay. It's great for administrators who want paranoid control over such things. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
Quoting R. W. Rodolico ([EMAIL PROTECTED]): Firewalls are for a stupidity shield. I had a situation where I was cracked on one of my servers a few years ago. It was totally my fault; I had a user I had mistakingly set up as an authorized ssh user who shouldn't have been. Their account was cracked, then the cracker got root access and installed a daemon that was ready to attack another server. My firewall gave one yelp, the cracker realized what was going on and told the firewall to shut up, basically. However, I got that one yelp from the firewall, investigated, and fixed the issue. One notes that a ruleset that merely logged (prominently) a suspicious bit of network traffic that probably shouldn't exist would suffice. Actual IP/port filtering is orthogonal. A properly targeted file-based IDS would be very useful for that threat model, too. My perspective is influenced by the fact that all attempts to help debug Linux networking failures have to start with What does /sbin/iptables L, run as root, say? and What's in /etc/hosts.allow and /etc/hosts.deny? -- because people shooting at their pedal extremities with those, without any idea what they're doing, is a leading cause of networking problems. -- Cheers, English is essentially Plattdeutsch as spoken Rick Moenby a Frisian pretending to be French. [EMAIL PROTECTED] -- Andreas Johansson, http://ccil.org/~cowan/essential.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
Rick Moen [EMAIL PROTECTED] writes: My perspective is influenced by the fact that all attempts to help debug Linux networking failures have to start with What does /sbin/iptables L, run as root, say? and What's in /etc/hosts.allow and /etc/hosts.deny? -- because people shooting at their pedal extremities with those, without any idea what they're doing, is a leading cause of networking problems. Yes, exactly. All computer security is a tradeoff between security and usability. There's no way around that except in rare win-win situations. If you add more security, you reduce usability. If you reduce usability too far, people will make stupid security decisions out of frustration and you can easily end up in a worse situation than if you hadn't tried to add security in the first place. (You get users trained to press Okay on every security-related dialog box, for example.) I think the average end user expects that, after they have installed a package, that package will work as advertised. If the act of installing the package is dangerous, I think that's something that ideally should be dealt with at the time of the installation decision, while the user is thinking about it. A debconf question asking the user if they really want to listen to Avahi events on the local network, for example. Letting the package install but then rendering it partly non-functional with a firewall that has to be changed somewhere else or that will pop up the first time the user tries to use some bit of functionality (possibly weeks later) strikes me as bad user interaction design. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On 070816 at 20:37, Jan Hetges wrote: On Thu, Aug 16, 2007 at 07:45:06PM +0200, Michel Messerschmidt wrote: But if a user installs a debian package that lowers his systems security there should be a big warning in the installer. agree, something like debconf: Are you shure you want this service running? This opens port bla on your network interface! NO yes And you seriously believe that the simple minded user pictured in this thread will say no? You're lucky if he reads the message, let alone think about what it could mean. And he is right. He just told is installer to install cool program, and no open port or license agreement is going to stop him. If the user is unable to install and/or configure a firewall/service, he is also unable to maintain it. Such a service should not be default. Either take responsibility or let the user actively choose. So: - There should be as few as possible services and dependencies. I always use the minimal install and I always have to replace that stupid exim, remove inetd and portmap. Whoever has use for portmap/inetd knows how to install them. - Services should be configured secure by default, eg listening on localhost only. AFAIK, debian tries to do this. - If a service poses a threat, eg can not be configured securely, disable it until the user has touched the configuration file. Some packages already do this. Is there some generic policy how network-capable services are to be configured by default? /steffen -- ,''`, : :' :+49/1781384223 `. `'gpg --recv-key A04D7875 `- www.debian.org mailto: [EMAIL PROTECTED] signature.asc Description: Digital signature
Re: secure installation
On Wed, 15 Aug 2007 14:23:06 -0500 Pat [EMAIL PROTECTED] wrote: There are a few security issues I have noticed about debian's installation. 1) No firewall setup during the install process, as it would be a simple matter to run lokkit at the end of the install I fail to see why this is not done. 2) Rpfilter and tcp syncookies are not enabled by default. Again this is a simple correction, and indeed has been mentioned in several open source linux guides for years. 3) Do we really need portmap, inetd, or nfs running by default on our workstations? There shouldn't be any ports open to internal network after installation. Where do you need firewall after installation when you can make one i.e. with iptables? - Henri 'fgeek' Salo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
Pat wrote: There are a few security issues I have noticed about debian's installation. 1) No firewall setup during the install process, as it would be a simple matter to run lokkit at the end of the install I fail to see why this is not done. 2) Rpfilter and tcp syncookies are not enabled by default. Again this is a simple correction, and indeed has been mentioned in several open source linux guides for years. 3) Do we really need portmap, inetd, or nfs running by default on our workstations? 1: Why on earth would anyone want to have a set of arbitrary restrictions applied onto a system without making informed choices, and understanding what they are doing? If you want to run lokkit (or whichever other widget you like) you run it, but don't try to force it on everyone (and especially not on me). 2: rp_filter is designed to be run on stub routers, and single-homed hosts. Many debian installations don't fall into this category (see any server in an environment with management production networks). This certainly shouldn't ever be the default. Again, if you want it, you run it. I certainly don't want it. From the kernel documentation (2.6.20.1): syncookies seriously violate TCP protocol. Great. Just what we need, make a system that's non compliant with TCP. This, again, should never be the default. Seriously, what do you think these things are protecting you against? 3: They're not running in my base install. You must have put in packages that depend upon them. -- ian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
On Wednesday 15 August 2007 21:19, Henri Salo wrote: On Wed, 15 Aug 2007 14:23:06 -0500 Pat [EMAIL PROTECTED] wrote: There are a few security issues I have noticed about debian's installation. 1) No firewall setup during the install process, as it would be a simple matter to run lokkit at the end of the install I fail to see why this is not done. 2) Rpfilter and tcp syncookies are not enabled by default. Again this is a simple correction, and indeed has been mentioned in several open source linux guides for years. 3) Do we really need portmap, inetd, or nfs running by default on our workstations? There shouldn't be any ports open to internal network after installation. Where do you need firewall after installation when you can make one i.e. with iptables? Yes, but not everyone is able to make one... There is a lot of people who are using Debian only as a workstation to create for example some OO documents, and they really dont need to know what iptables is or some other packages involved in security issues... - Henri 'fgeek' Salo Regards Pawel -- Proud Debian GNU/Linux User: PawelatWartandotorg kadu:3735326 Registered Linux User : 406139 |PLUG :1966491030 Home Page: http://www.wartan.org
Re: secure installation
1) What if someone (and I am sure it happens more often than you may realize) who is clueless about computers decides to download Debian, installs it, get hacked, trojaned horsed, their credit cards numbers stolen, etc. It is called responsibility, and we cannot blame it on them for knowing nothing, we can't all be computer security experts. In addition you have the option within lokkit to select no firewall if that is what you really want, so it seem to leave freedon of choice as to how to use your computer enabled, along with the option to uninstall it completely. 2) rp_filter provides protection against ip address spoofing which most machines not otherwise protected by a firewall need. again, you would have the same option to turn if off if you feel you do not need the protection. Tcp syncookies provide protection against some DDOS attacks, and truthfully we all know tcp is broken, so who cares if it violates protocol. 3) All I have installed is the base package, Xwindows, and a desktop. On 8/15/07, Ian McDonald [EMAIL PROTECTED] wrote: Pat wrote: There are a few security issues I have noticed about debian's installation. 1) No firewall setup during the install process, as it would be a simple matter to run lokkit at the end of the install I fail to see why this is not done. 2) Rpfilter and tcp syncookies are not enabled by default. Again this is a simple correction, and indeed has been mentioned in several open source linux guides for years. 3) Do we really need portmap, inetd, or nfs running by default on our workstations? 1: Why on earth would anyone want to have a set of arbitrary restrictions applied onto a system without making informed choices, and understanding what they are doing? If you want to run lokkit (or whichever other widget you like) you run it, but don't try to force it on everyone (and especially not on me). 2: rp_filter is designed to be run on stub routers, and single-homed hosts. Many debian installations don't fall into this category (see any server in an environment with management production networks). This certainly shouldn't ever be the default. Again, if you want it, you run it. I certainly don't want it. From the kernel documentation (2.6.20.1): syncookies seriously violate TCP protocol. Great. Just what we need, make a system that's non compliant with TCP. This, again, should never be the default. Seriously, what do you think these things are protecting you against? 3: They're not running in my base install. You must have put in packages that depend upon them. -- ian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure installation
Pat [EMAIL PROTECTED] writes: 1) No firewall setup during the install process, as it would be a simple matter to run lokkit at the end of the install I fail to see why this is not done. A default install should simply not listen to the network, at which point a firewall is pointless complexity. I believe portmap is already listening only to localhost and inetd doesn't run if there are no services enabled. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]