On Wed, 20 Jan 2010, Edward Ned Harvey wrote: >> modern desktop distros are pretty locked down and don't have lots of >> ports >> open to the network the way they used to be a few years ago. > > Hopefully you're just talking about modern linux desktop distros. Cuz > windows and osx are pretty loose about opening things up to the network. I > don't know any OS with worse security than OSX. I'll qualify that by saying > by default, OSX has no firewall enabled at all, and bonjour happily > broadcasts to everyone, "Bonjour, everybody! Here's a list of what services > I'm running..."
yes, I was talking linux. I haven't seen OSX advertised with seperate server or desktop distros, and even with windows there's not much difference. >> I agree that most modern distros have lots of unnecessary things >> running >> (be they a server or desktop distro), but they are all blocked. most >> desktop distros do block logins as root. > > To simply have unnecessary services blocked by the firewall isn't good > enough. Typically if somebody's going to leverage a vulnerability to get > into your server, they have to string together more than one. For example, > if there's some loophole in apache that lets you run some arbitrary file on > disk under the "apache" user account ... doesn't do any good unless you find > some way to write a file to disk. > > If somebody finds a vulnerability in a service that you have available... > The next thing they'll need to find is another service they can exploit. > Perhaps the firewall will block them from doing this as long as they're > attacking via the WAN, but if they've already compromised one service, it's > pretty likely they'll use that to their advantage, and attempt making apache > (or whatever they've compromised) do an attack on some other service via > localhost or the LAN, where perhaps your firewall rules are circumvented. > > The smart thing is not to rely on your firewall to block services you have > running, but instead, to disable and ideally remove those services. > > And an exploit doesn't necessarily have to be in a running service or daemon > either. Suppose you've got some library with a flaw in it ... say ... > opencv. This is a bad example because it's pretty unlikely that apache > would have any binaries linked to opencv ... Well, whatever. Point is, once > you've got one exploit, anything is fair game to use as your 2nd, or 3rd > exploit. It could be any library, scripting language, command line tool, or > anything at all ... as long as it has some vulnerability, and some way to > exploit that vulnerability. Start linking things together and you've got > varying degrees of control of the remote system, perhaps eventually root. > The smart thing is not to assume "there's no way anybody can exploit > libopencv." The smart thing is to remove libopencv as long as you know you > don't need it. > > With some variable level of success in compromising somebody's system... > you've got a system, belonging to somebody else, that you can use to store > and transfer the kiddie porn you've just sold to some pervert. If anybody > gets busted, you've covered your tracks. Difficult though it may be to > break into somebody's system like this ... the motivation is high. And it > does happen. I fully agree that it's best to do a stripped install, however a default server distro install can install as much or more than a desktop distro install. It could be argued that the server distros install more powerful (and therefor dangerous) stuff by default the disagreement isn't over if it's a good idea to only have the minimum installed, it's over your statement that implied that someone who started with a desktop distro was just wrong, where if they started from a server install they would be safe. >> I agree that it's best to not have services installed that aren't >> needed, >> but nowdays the difference between a 'desktop' and a 'server' is a >> matter >> of degree, not a matter of kind. >> >> the desktop and server versions of a distro have the exact same package >> management tools on them, the packages have the exact same dependancy >> declarations, so really the only difference between the two is the >> packages installed by default. > > I don't believe it's possible to install Ubuntu Desktop without X11, gnome, > Bluetooth, cups, ekiga, firefox, openoffice, java, libmono, perl, python, > pidgin, or rdesktop. Is it? you can apt-get purge any or all of those packages. > It may be true the only difference between ubuntu desktop & ubuntu server is > a matter of package selection. But to an extent, you don't have control > over the package selection. And that's a huge difference. you don't control the default install, but you definantly do control the final package selection. David Lang _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
