Slashdot Mirror
SecurityFocus Linux Focus Area
WebJunky writes: "SecurityFocus.com has opened a Linux security focus area. It has an opening letter from Bruce Perens and some interesting articles, especially one on installing IPsec under Linux. It also has some tutorials on installing Apache and BIND securely. " Cool stuff, course most of us just stick to bugtraq anyway ;)
I think this article will be a good eye-opener for many who seem to think that securing a system means checking the bug lists and applying the appropriate patches, or by throwing in a buzz-word Firewall. Although that is an excellent start, You can see the big difference with NT and OpenBSD.
NT has a decent security model. But Microsoft's goals with NT is functionality, not security. So with file permission defaults such as Everyone: FULL CONTROL and Exchange KM Server Admin passwords being "Password", it's not hard to see that M$ wants Admins to have an easy job. Everything works, but it ain't secure. Although one can configure NT to be secure, it will take many hours of work and tests.
On the other side of the spectrum, consider OpenBSD. Paranoid? Obviously. Everything's off, users have no access to anything, users can't su unless they're allowed. Here, security is well taken care of, but the admin's big job here is opening up the system so users can get some functionality.
Then put Linux in the middle. A relatively secure OS, with (as most distros) almost all daemons running without even asking for them. Shut off sendmail, wu-ftpd, httpd, etc, and boom, magnitudes more security.
Then consider the admin who uses the root account straight through telnet. One co-worker I knew does this on a regular basis, then brags that he's never been cracked!!! Patching bugs is the easy part...
Yeah, for hardcore geeks that have been messing with Linux for years, bugtraq is just fine. However, some people... including me... could benefit from a centralized location of all sorts of information related to security instead of relying on posts and threads that you could have missed months ago.
:)
I say, what's wrong with another useful tool
Bruce Perens' comment about viruses -"no doubt Linux is in for some viruses and security problems." - willprobably bring hoots of derision from the underinformed.
Linux has at least two major vulnerabilities to viruses. The first doesn't affect Linux directly, but is still embarrasing. If you run Linux as a file server for Win32 machines, and a (usually macro) virus gets a decent foothold in the network, you rely on the Win32 virus checkers to fix it. But they can't (easily) clean it from the file server. The Linux boxes can quite happily continue serving infected files to clean Win32 boxes. Whoops. I believe that we need a native Linux virus checker built as close to the file system as you dare.
The other problem is with binary-only kernel modules that allow connections from userland. Another post today about 'run anywhere' device drivers has exactly this architecture. Unless the supplier of the binary has done a *perfect* security job, there is a possibility that a virus-writer could exploit the binary module to do almost anything to the kernel.
The main protection that Linux has had so far from viruses is the culture of Unix. A Unix programmer good enough to write a virus would spend their time doing something useful. This will change. If even a tiny proportion of the trolls/mp3 warez lusers on this board learn some programming, we could all be in for a difficult time.
Share and Enjoy.
For those who are very concerned with Security you should take a look at Mandrake. Depending on the "type" of install you do you can have up to 5 different security levels. The worst being "Welcome crackers" to the top "Paranoid". The Paranoid level is so paranoid that each part of the server is broken into groups and required specific access grants (via users being part of multable groups)for almost everything.. ie cdrom/floppy/sound/different exaeute permisions (/bin /sbin /usr/bin /usr/sbin etc), X, telnet ftp etc... and services are secured very nicly. But what really takes the cake is the logging. Just sitting on IRC I was able to watch my system be scanned, atempted ftp/telnet/ssh etc... Anyway there is alot involved in what Mandrake does for security and I couldn't even begin to give them a "good plug" for ther product... try it for yourself! :)
every time I visit this site, I swear to never return.
Their site has so much unnecessary formatting and takes so long to load. Obviously they're not interested in attracting unix sysadmins, or mobile users using a mobile browser.
I recommend http://packetstorm.securify.com - they still have a medium amt. of html fluff, but at least it works in lynx.
1) Go to securityfocus.com.. go make dinner and watch a sitcom, this fucker takes forever to load up with its dancing refreshing ads.
2) Find the shit you actually want to look at and right click, Open frame in a new window.
3) Close original Netscape thus killing the three ring circus that is securityfocus.com, denying them the ability to spam your brain to death with thier useless drivel. Assuming that closing Netscape didn't cause Netscape to bus error and close all Netscape windows, you can read what you want in peace. This works well with the bugtraq archive.
Whoever designed that site is a raging alcoholic, I think.
Lars -
Check your named directory and see if there is a subdirectory named "ADMROCKS". If it's there then you are running a vulnerable BIND and have been owned. If it's not there then you are probably safe.
Really. It's that bad.
(If you don't know, "ADMROCKS" is the footprint left by a popular BIND exploit.)
NT does allow you to filter out incomming IP packets. Of course, the NT IP stack has been so insecure that a lot of software firewall makers replace it with their own stack.
NT2000 could fix a lot of this though. I haven't used it.
sigs are a waste of space