Re: A simple question FORK! Something that bugs me about net-installs and security
On 1/28/07, Hodgins Family [EMAIL PROTECTED] wrote: Firewalling routers are $50 and do a reasonably good job. Any recommendations? What are you using? I believe that just about any home wireless AP / switch / router these days does stateful packet inspection and NAT, making it a decent HW firewall. I've been happily using an old Netgear MR814 (only 802.11b, not g, and only WEP, no WPA)for years. I just bought a new Trendware TEW-432BRP [0] for $40 with $20 rebate (free shipping) from Newegg.com (g, WPA, WPA2), but I haven't tested it yet. Celejar [0] http://www.newegg.com/Product/Product.asp?Item=N82E16833156038 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A simple question FORK! Something that bugs me about net-installs and security
Firewalling routers are $50 and do a reasonably good job. Any recommendations? What are you using? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A simple question FORK! Something that bugs me about net-installs and security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/28/07 09:08, Hodgins Family wrote: Firewalling routers are $50 and do a reasonably good job. Any recommendations? What are you using? I use a Netgear RP614v2, but don't like it. The Linux geek fave is the Linksys WRT54GL, since it runs Linux and can be upgraded with 3rd-party binaries. It's a wireless access port, but also has 4 RJ45 jacks and has a firewall. US$54 at Newegg. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFvMndS9HxQb37XmcRAjQHAJwK1m37NvOsQDPhsTpJZ+cEshHYIwCfbgxE F0pjiPCTAX5oHe3B6E3jqxI= =t/L8 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A simple question FORK! Something that bugs me about net-installs and security
I use a Netgear RP614v2, but don't like it. The Linux geek fave is the Linksys WRT54GL, since it runs Linux and can be upgraded with 3rd-party binaries. It's a wireless access port, but also has 4 RJ45 jacks and has a firewall. US$54 at Newegg. Thanks! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A simple question FORK! Something that bugs me about net-installs and security
Hodgins Family [EMAIL PROTECTED] writes: The Linux geek fave is the Linksys WRT54GL, since it runs Linux and can be upgraded with 3rd-party binaries. It's a wireless access port, but also has 4 RJ45 jacks and has a firewall. US$54 at Newegg. Thanks! Make sure you buy v4 or below. v5 can't be upgraded (and doesn't run Linux) -- John L. Fjellstad web: http://www.fjellstad.org/ Quis custodiet ipsos custodes -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A simple question FORK! Something that bugs me about net-installs and security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/28/07 13:32, John L Fjellstad wrote: Hodgins Family [EMAIL PROTECTED] writes: The Linux geek fave is the Linksys WRT54GL, since it runs Linux and can be upgraded with 3rd-party binaries. It's a wireless access port, but also has 4 RJ45 jacks and has a firewall. US$54 at Newegg. Thanks! Make sure you buy v4 or below. v5 can't be upgraded (and doesn't run Linux) I thought that was the difference between the WRT54GL and WRT54G. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFvQh4S9HxQb37XmcRAoUrAJ91FwTnB1GIAEMb17HJ1GPH4pYB2wCg7u1s /DEwa/eiMtkNA20e9cqjOoU= =Fvoi -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A simple question FORK! Something that bugs me about net-installs and security
On Sun, Jan 28, 2007 at 08:08:55AM -0700, Hodgins Family wrote: Firewalling routers are $50 and do a reasonably good job. Any recommendations? What are you using? Get any old (now 486 or newer) box and install basic debian on it. Add shorewall and you have a totally configurable firewall. Check out FAI and you have an easily restored firewall if something does break. This is often a no-cost option. Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A simple question FORK! Something that bugs me about net-installs and security
Ron Johnson [EMAIL PROTECTED] writes: On 01/28/07 13:32, John L Fjellstad wrote: Make sure you buy v4 or below. v5 can't be upgraded (and doesn't run Linux) I thought that was the difference between the WRT54GL and WRT54G. You're right. The WRT54GL is the linux version. From what I can gather from the Linksys pages, I think the new version is the WRT54GS. -- John L. Fjellstad web: http://www.fjellstad.org/ Quis custodiet ipsos custodes -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A simple question FORK! Something that bugs me about net-installs and security
On 1/28/07, John L Fjellstad [EMAIL PROTECTED] wrote: Make sure you buy v4 or below. v5 can't be upgraded (and doesn't run Linux) The WRT54G v4 was re-released as the WRT54GL - the L for Linux. Zach -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A simple question FORK! Something that bugs me about net-installs and security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/27/07 01:44, Andrei Popescu wrote: On Sat, 27 Jan 2007 01:24:33 -0600 Ron Johnson [EMAIL PROTECTED] wrote: Shouldn't the setup of a firewall be part of the installation routine? Perhaps prior to running tasksel, some script could query the user about using a firewall and/or help him/her set an appropriate one up? Probably so. ~$ apt-cache search firewall | wc -l 130 From those I counted at least 10 to be firewalls. So which one will be the default one? One that you can run from the console. (Pardon my ambiguity; I live behind a h/w firewall.) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFu21uS9HxQb37XmcRAtU/AKCZBLX3EWW978WDfyeEhnL9pLIcdwCfZmT+ 6uI29hlslwnTsOWYEllUXw0= =AnXQ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A simple question FORK! Something that bugs me about net-installs and security
On Fri, Jan 26, 2007 at 10:01:43PM -0600, Ron Johnson wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/26/07 19:03, Hodgins Family wrote: Many people are installing Debian from the internet. Yet, the Securing Debian Manual suggests no contact with the internet until the installation is secure. The manual states that installing the OS off the web is not the best idea (Section 3.3 found here: http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html ) Is the manual WRONG about net installs? Did you *read* the link you posted? 3.3 Do not plug to the Internet until ready The system should not be immediately connected to the Internet during installation. [snip] If you cannot do this, you can set up firewall rules to limit access to the system while doing the update (see Security update protected by a firewall, Appendix F). http://www.debian.org/doc/manuals/securing-debian-howto/ap-fw-security-update.en.html Are net installs (let's say for a Desktop environment) totally without vulnerability risks? When, during an installation, do/should people think about security/vulnerability issues of the software they are installing? Actually, not much. Firewalling routers are $50 and do a reasonably good job. Doesn't help much if one is accesssing the net via a dial-up modem. Why doesn't the installer: 1. automatically put up a firewall rule that only allows traffic related to the installation procedure. 2. Install a basic firewall like ipmasq to cover someone until they can get something better up and running. ? I'm lucky in that I have an old 486 I used with a modem to also do the firewall. I didn't use my Etch amd64 box on the net directly until Etch got security support. Doug. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A simple question FORK! Something that bugs me about net-installs and security
Many people are installing Debian from the internet. Yet, the Securing Debian Manual suggests no contact with the internet until the installation is secure. The manual states that installing the OS off the web is not the best idea (Section 3.3 found here: http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html ) Is the manual WRONG about net installs? Are net installs (let's say for a Desktop environment) totally without vulnerability risks? When, during an installation, do/should people think about security/vulnerability issues of the software they are installing? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A simple question FORK! Something that bugs me about net-installs and security
Hodgins Family wrote: Are net installs (let's say for a Desktop environment) totally without vulnerability risks? When, during an installation, do/should people think about security/vulnerability issues of the software they are installing? Well, let's see.. to perform a network install, you download a netinst iso from the web. This is an excellent opportunity for an attacker to feed you a compromised image that will be running as root on your computer. You can avoid this risk by checking the MD5SUMS file in the same directory as the iso, and using the MD5SUMS.sign file to check that the MD5SUMS file isn't compromised too. Assuming that you have some way of running gpg, and some way of trusting the person who signed the image. Also assuming that the image you're downloading is a released version of the installer; daily builds arn't signed. Shortly after the installer boots up, it's connected to the network[4]. At this point it's vulnerable to anything that any linux kernel on the network is vulnerable to. If there's a remote exploit in the linux kernel, an attacker could compromise your installer as it's running. Suitable remote exploits are fairly rare, and the installer is probably not an ideal target to compromise, since it's not very similar to a standard linux distribution[3]. The only network services that the installer uses are dns and http, with the http being done by busybox wget and by apt. Any remote exploits in those programs could also be used to exploit the installer. All data received via http is required to be signed with gpg keys built into the installer[2]. While this does mean that remote exploits in gnupg[0] could also be used to exploit the installer, it cuts off most potential for the packages that are downloaded to be compromised. No additional services are started during the installation process[1]. Once the installation is complete and it boots into the installed system, whatever services are started by the tasks you selected are running, and any security issues with those have to be considered. -- see shy jo [0] Eg: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6235 [1] Unless you tell the installer to open a ssh network console. [2] Only true for the etch installer; the current stable version of the installer does not use gpg signatures. [3] Ie, it's running from a ramdisk, and is going to reboot in N minutes into the installed system.. [4] Suppose I should mention that it uses dhclient, for completeness. signature.asc Description: Digital signature
Re: A simple question FORK! Something that bugs me about net-installs and security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/26/07 19:03, Hodgins Family wrote: Many people are installing Debian from the internet. Yet, the Securing Debian Manual suggests no contact with the internet until the installation is secure. The manual states that installing the OS off the web is not the best idea (Section 3.3 found here: http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html ) Is the manual WRONG about net installs? Did you *read* the link you posted? 3.3 Do not plug to the Internet until ready The system should not be immediately connected to the Internet during installation. [snip] If you cannot do this, you can set up firewall rules to limit access to the system while doing the update (see Security update protected by a firewall, Appendix F). http://www.debian.org/doc/manuals/securing-debian-howto/ap-fw-security-update.en.html Are net installs (let's say for a Desktop environment) totally without vulnerability risks? When, during an installation, do/should people think about security/vulnerability issues of the software they are installing? Actually, not much. Firewalling routers are $50 and do a reasonably good job. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFus6nS9HxQb37XmcRAntCAKCM00OOHjG8XIy1BfsNZqOOjG1vXQCg2+hh GWdbAo57hNENVUGg0Sb3QYQ= =AzCV -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Re: A simple question FORK! Something that bugs me about net-installs and security
Hmmm, every time I do a net install, it installs the base files first, reboots, and then uses the actual system to install the rest... Angelo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A simple question FORK! Something that bugs me about net-installs and security
Did you *read* the link you posted? Yes, I've read/seen this Appendix F section in various versions. Up until the last version that I read (version 3.10 of last November) there has been a FIXME: test this setup to see if it works properly. Didn't exactly inspire me to use it as an aid for net installations! Now, I'm seeing that the January version of the document no longer has the FIXME in it. Sorry for missing that the FIXME had gone missing! Shouldn't the setup of a firewall be part of the installation routine? Perhaps prior to running tasksel, some script could query the user about using a firewall and/or help him/her set an appropriate one up? Yeah, I know this sounds odd, but when a user is doing a installation and there is not a mention of firewalls during the procedure, and when the user reads the Installation manual and there is only one mention of firewalls (not in the context of the actual installation), I think that the user is not being fully informed at exactly the time he or she needs as much information as possible. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A simple question FORK! Something that bugs me about net-installs and security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/27/07 01:16, Hodgins Family wrote: Did you *read* the link you posted? Yes, I've read/seen this Appendix F section in various versions. Up until the last version that I read (version 3.10 of last November) there has been a FIXME: test this setup to see if it works properly. Didn't exactly inspire me to use it as an aid for net installations! Now, I'm seeing that the January version of the document no longer has the FIXME in it. Sorry for missing that the FIXME had gone missing! Shouldn't the setup of a firewall be part of the installation routine? Perhaps prior to running tasksel, some script could query the user about using a firewall and/or help him/her set an appropriate one up? Probably so. Yeah, I know this sounds odd, but when a user is doing a installation and there is not a mention of firewalls during the procedure, and when the user reads the Installation manual and there is only one mention of firewalls (not in the context of the actual installation), I think that the user is not being fully informed at exactly the time he or she needs as much information as possible. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFuv4xS9HxQb37XmcRAjkyAJ9D977IbjeKWtL17nzqH7N9QoabZgCeKTSS a19UixHKvZJZLVzjDcPcRco= =4Zyl -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: A simple question FORK! Something that bugs me about net-installs and security
On Sat, 27 Jan 2007 01:24:33 -0600 Ron Johnson [EMAIL PROTECTED] wrote: Shouldn't the setup of a firewall be part of the installation routine? Perhaps prior to running tasksel, some script could query the user about using a firewall and/or help him/her set an appropriate one up? Probably so. ~$ apt-cache search firewall | wc -l 130 From those I counted at least 10 to be firewalls. So which one will be the default one? Regards, Andrei -- If you can't explain it simply, you don't understand it well enough. (Albert Einstein)