Hi Bernie,
On Sunday 28 May 2006 04:39, Bernie Cosell Scribbled:
> On 27 May 2006 at 22:10, Gaffer wrote:
> > On Saturday 27 May 2006 21:44, Bernie Cosell Scribbled:
> > > On 27 May 2006 at 21:21, Gaffer wrote:
> > > > Weird I may be. But I don't get virus,
> > >
> > > That's more luck than anything:
> >
> > I would beg to differ !
>
> Well, we have different opinions on that...
Well I was talking about virus !
> > > Unix systems are the MOST attacked
> You're wrong: it is the result of scans and probes, and when the
> system is discovered it is attacked.
Yes it is, but only if it is exposed to be attacked. Any sysadmin
worth his/her salt wouldn't put an unprotected machine on the
internet ! that is unless it was setup to be a Honey Pot !
> > I agree, the addage of "getting to root" is the goal of a cracker!
> > Get root and the system is yours !
>
> I know -- Unix's *biggest* security misfeature -- one bit security.
> Windows's biggest security misfeature is that almost all of its users
> *start* with admin privileges, so _every_ slip, error, vulnerability
> is a total system compromise. It is a lot harder to "get at" most
> Unix systems because you need either to exploit server
> vulnerabilities or find a privilege-escalating vulnerability; on
> windows, the users [by running as admin] both do all the hard work
> [*giving* the attacker full system privileges to start with] *AND*
> are often naïve/duped into being the agent that infects their own
> system. Windows's biggest security problem is its users!
Agreed !
> As a side note, it is possible [but surprisingly difficult] to
> configure a Unix system that'll withstand having root compromised.
There are a number of techniques to specifically protect root ! But its
easier to start with multilayered security and go on from there.
> > > > .. and nothing goes out unless I
> > > > let it (port 80 excluded).
> > >
> > > How do you manage that? iptables or some such? Because of the
> > > utterly broken way Berkeley kludged sockets into Unix, AFAIK it
> > > is nearly impossible to prevent a process from opening a network
> > > connection [either outgoing or listening].
A lot of things have changed dramatically in recent years !
> > As far as port opening is concerned all ports are closed by default
> > in and out.
Iptables helps as does choosing "Paranoia" settings for your system.
That way you have to explicitly configure a path for entry or exit from
your machine!
> Would you elaborate how you "closed" the ports? As far as I know [in
> having used and installed scores of Unix systems over the years] *NO*
> port is "closed" by default on a unix system. I know you can do that
> kind of thing with ipchains, but it ain't easy to get configured
> properly [if you want to the system both to be secure AND to be
> useful] and AFAIK no distro comes with that set up active and DENY
> ALL as a default [is SUSE doing that these days?] Few sysadmins
> understand IPCHAINS and so if they did that, it'd be amusing how many
> sysadmins would have a hard time getting IRC or SSH or sendmail or
> ... to work. Does your system, in fact, close all those ports with
> ipchains or the like? Or if not, how *do* the ports get to be
> "closed by default"?
>
> /Bernie\
IPcop is a good example of a Linux distribution configured to be
secure !
--
Best Regards:
Derrick.
Pontefract Linux Users Group.
plug at play-net.co.uk
--
----------------------------------------
WIN-HOME Archives: http://PEACH.EASE.LSOFT.COM/archives/WIN-HOME.html
Contact the List Owner about anything: [EMAIL PROTECTED]
Official Win-Home List Members Profiles Page
http://www.besteffort.com/winhome/Profiles.html
