[huskerlug] Re: CERT Advisory
- From: Steve <steve@xxxxxxxxxxxxx>
- To: huskerlug@xxxxxxxxxxxxx
- Date: Fri, 15 Aug 2003 17:08:06 -0500
> comes out. The problem is that, by the time the patch has come out, a
> couple of systems may already be compromised, and 1 of those systems might
> be the one you have in your apartment or room.....
Do I detect a hint of personal experience here, Cesar? ;-)
That is indeed a problem with services that must be exposed to the public.
However, there are steps that can be taken to mitigate the risks and buy you
valuable time. If these services can be configured to run without root
privs, then the exploit will require that the intruder gain root access
before "owning" your box. This is where all of those previous suggestions I
made come into play.
For services that do require root, be very careful about the software that you
use. Try qmail instead of sendmail, djbdns instead of BIND, public file
instead of Apache (for static pages only), vsftp instead of wu-ftp or
pro-ftp, OpenSSH instead of telnet (I hope that one is obvious by now) etc.
etc. Of course, if you need a specific feature that isn't provided in one of
the alternatives, you don't have much choice.
For further protection, one can look into kernel hardening patches:
grsecurity, lids, pax (part of grsec), rsbac, selinux, etc. Some of these
can help prevent even a remote root exploits from compromising a system. A
remote root exploit on a vanilla kernel usually means "game over."
None of these suggestions should imply that you shouldn't patch your system
though. Many of the kernel hardening patches may only slow down an intruder
rather than stopping them completely. However, this is still useful if it
buys you enough time to patch your system.
A t-shirt I saw at Defcon this year comes to mind:
"Security is like sex, once you've been penetrated, you're f!@%!"
--
Steve Bremer
RHCE,CCNA
--
Real Men don't make backups. They upload it via ftp and let the world
mirror it. -- Linus Torvalds
--
GnuPG Key fingerprint = 7F06 4D73 7963 BE96 5189 953A E285 CB2C BA03 2746
Available on key servers.
----
Husker Linux Users Group mailing list
To unsubscribe, send a message to huskerlug-request@xxxxxxxxxxxxx
with a subject of UNSUBSCRIBE
- References:
- [huskerlug] CERT Advisory
- From: Jaymz Ringler
- [huskerlug] Re: CERT Advisory
- From: GreyGeek
- [huskerlug] Re: CERT Advisory
- From: cdelgad2
Other related posts:
- » [huskerlug] CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- » [huskerlug] Re: CERT Advisory
- [huskerlug] CERT Advisory
- From: Jaymz Ringler
- [huskerlug] Re: CERT Advisory
- From: GreyGeek
- [huskerlug] Re: CERT Advisory
- From: cdelgad2