Howard Lowndes was once rumoured to have said:
> On Tue, 27 Feb 2001, chesty wrote:
>
>> We had our linux firewalls audited and I wanted to get some opinions on some
>> of the issues raised.
>>
>> We were advised to turn sshd PasswordAuthentication off because it allows
>> clear text passwords.
>> hey? That doesn't sound right.
>
> Sounds like good cause to not pay the auditors as they seem not to know
> what they talk about.
I concurr with Howard - but their suggestion is legitimate - but for a
different reason. PasswordAuthentication means you're relying upon
users to pick sensible passwords. Its actually best to make sure
nobody but your administrators have access to your firewall systems
>> Mount partitions read only where possible.
>> I guess this is a good idea, but in what situation would this add
>> security? You need to be root to be able to write to the
>> partitions that I could mount read only, and if someone gets root,
>> they can remount partitions read write.
It adds no real security IMO. It just makes things a little more
awkward, both for admins and for people breaking in - but it doesn't
grant you any great gains.
>> Remove man pages.
>> Again, I can't see the harm in doing this, but I can't see the point.
Security through obscurity. Bleh. Get lost. Obscurity doesn't gain
any security.
>> Remove unnecessary binaries.
>> A good idea no doubt, but the firewall doesn't allow shell access,
>> and the way I see it is if someone gets shell access they can
>> upload their own bin's.
>
> You could say the same about some libraries after you have done an
> assessment of those required by the remaining binaries, but then the
> auditors wouldn't even know what these are, judging by their earlier
> remarks.
Removing binaries just means the attackers have to get them in via
some other means.
>> It doesn't mention it in the report, but would mounting /home, /tmp
>> and /var with noexec help? It might stop a non root user from
>> running their own programs, but it won't stop root.
>
> What about cgi-bins in /home/httpd (old RH) or /var/www (FSSTD, I think)?
> OK, so it's your firewall and you would not run cgi-bins on that, would
> you?
Yet again, this is the same argument as the readonly mount. Not worth
the hassle.
>> Capabilities wasn't mentioned in the report, and I haven't removed
>> any (yet). Time to do some reading on removing linux kernel
>> capabilities I think.
This is always a great one. for a start, axe a.out support. You
don't need it, and you immediate stop all root-kits predating the elf
changeover from working. Surprisingly, there was an attack against a
place I eneded up working at 2 and a half years ago using an a.out
rootkit. They still might be about. You won't need a.out support
anyway.
Better yet... Shut down *ALL* listening services. Log to a remote
system behind your firewall, make sure you can only log into the
console, etc. The best way to protect a system is with the minimum
footprint approach. You can't compromise a service that just isn't
running.
>> What do people use for analysing firewall log files?
>> Theres 84 projects under that category on freshmeat.
grep and less.
C.
--
--==============================================--
Crossfire | This email was brought to you
[EMAIL PROTECTED] | on 100% Recycled Electrons
--==============================================--
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
