Slashdot Mirror
comp.os.linux.security FAQ
$kr1p7_k177y wrote to us regarding Daniel Swan's release of the comp.os.linux.security FAQ. It's what you'd imagine, but with the growth lately, this should be helpful tool. There's also an interview with him that sheds more light on the reasons behind the FAQ.
Actually, speaking as someone who regularly installs new distros/OSes just to try them out - a default win2k install is more secure than any linux distro I've seen. Remember, it's not based on win9x.
It's also easy to further lock down - it's straightforward to block any TCP or UDP port or even protocol you choose (without additional software).
Also, Zone Alarm is widely recognised as a kick ass personal firewall (though I'd always prefer to set up my own cheap box running BSD, and use it to block adverts and trojans also. Get it doing DNS caching etc, also - every little helps when you're restricted to modem like me).
I realise you're just trolling, but I feel that I have to at least try to counteract your FUD.
Q: How do I secure Linux?
A: Install BSD.
The cure of the ills of Democracy is more Democracy.
Erlang Developer and podcaster
Another oversight in ths FAQ is that there is absolutely nothing about PAM -- good, bad or indifferent.
I'd offer to write the section myself, but beyond saying ``It appears to offer a finer granularity over file & executable permissions than UNIX's traditional xrw, the documentation included with the package appears to be fairly comprehensive, & it comes enabled by default in the RedHat distribution."
Give me a few months with PAM, & I may be able to delete the qualifiers.
Geoff
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p
> PAM has NOTHING to do with xrw style permissions, this is something else, called ACLs (Access Control Lists).
Well, having only the last 5-10 days to read the documentation, I was left with the impression that it could be used quite nicely to implement ACL.
And the point of my original post was that I'm not qualified to add more the FAQ about PAM than to nicely ask the FAQ maintainer to add a section about it.
Geoff
I think I see a trend here. Maybe for them it really would be easier to muzzle the entire internet than to produce p
Just being a hacker does _not_ make you an engineer. IMO that is a much worse mistake than the hacker/cracker mixup.
The basic sleazeware produced in a drunken fury by a bunch of UCBerkeley grad students was still the core of BIND. --PV
Overall pretty good, but there are a few (minor) points..
:o)
:o)
First, your firewall should always be initialized before initializing the network interface, not after... initializing it after your network comes up means that there is a period (however small) that your machine is vulnerable (or, more vulnerable than it could be
Second, blocking all inbound pings can (potentially) cause problems with things such as DHCP.. (most DHCP servers attempt to ping an address before they issue it, to determine if it's in use or not..) if the DHCP server's lease database becomes corrupt/invalid (because of a network/hardware failure, for example), it could give your IP address to someone else, because your machine doesn't answer the ping..
Third, he misspelled Kurt Seifried's name (I think that Seigfreid is a magician from Vegas
Other than that, a pretty good start..
I didn't take that post as funny.
These are "Frequently Asked Questions" about Linux security and you would expect that the FAQ would answer these. Yes there are good questions answered in the FAQ but you also want to answer the stupid ones too, so you are not answering them in the news group.
Steven Rostedt
Steven Rostedt
-- Nevermind
Ok, the "what is Open Linux bsdnix" thing would go into the "funny" catergory, and has nothing to do with Linux security. But the following...
questions, are more legit, and have been commonly asked by newbies. The number of times I get someone calling me up and asking me why they can't log in as root is amazing. I would also add that not ever loging in as root (except for system admin stuff) should be stated in the FAQ.
Steven Rostedt
Steven Rostedt
-- Nevermind
will you fuck off sphincter breath. I have addressed your stupid comments already.
How we know is more important than what we know.
The answer to this question (and every question in that area) hasn't changed in 2 years. There are many linux viruses in existance and a number have been found in the wild. There are viruses that infect the PLT table of ELF binaries to intercept library calls. There are viruses that use ptrace to infect every running program the user has access to debug (yes, that's right, download some infected binary, run it and every process you have running is simultaniously infected, including your shell) and there are viruses that can jump su to root. These are the viruses that "follow the user". Hell, all this stuff has been in Phrack. There are viruses that act like worms, they look in your .ssh known hosts file and try passwordless connections to all of them. Virus proliferation on linux is a serious issue and should be delt with by FAQ's like this. Two years ago I sat here and said if virus research on linux was not encouraged it would develop underground and we would have people like this denying their existance until it is too late. Well it's not too late, yet.
How we know is more important than what we know.
How far do you take it though, surely you wouldn't include the "what is this openlinuxbsdnix" question.
Security-Enhanced Linux: http://www.nsa.gov/selinux/: - This isn't actually a distribution, but an add-on that facilitates "Flexible Support for Security Policies". Considering the source of this package, an American Intelligence Agency, careful consideration should be made before installing it on machines that store sensitive or proprietary information, at least until a rigorous code audit is done of it.
...
That's the spirit
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
Just a quick correction:
/etc/passwd only system. RedHat uses this to allow authentication against Kerebos, NIS and the like. Furthermore RedHat's recent steps in their implementation of PAM in RedHat 7 allow global configuration of all PAM services from one file (/etc/pam.d/system-auth).
PAM has NOTHING to do with xrw style permissions, this is somting else, called ACLs (Access Control Lists).
PAM authenticates users in a flexable manner, and allows much more fine grained control than the traditional
Well PAM does implement ACLs, just not in the file-permissions case, its ACLs are for logins and the like. (It does get into some file-permission stuff, for things like the console user permissions, but these are done by modifying the permissions on actual files).
I agreee, it should be in the FAQ.
The FAQ uses `hackers' as its term for malicious attackers, rather than engineers.
Surely the Open Source world knows of this distinction, and this could be reflected in the FAQ?
*) telneting as root is considered bad. Please replace telnet with OpenSSH. It encrypts thing so that people can't spy on your sessions. If you want an example, learn how to use tcpdump, and see what happens. It's also a good idea to not ssh as root so that it requires another level of passwords to get total control over your box.
;)). We'll help you out.
*) Nobody is a generic dummy account on most UNIX systems. Its purpose is to allow you to run various daemons under the lowest priviledges possible (that of a user which can't login and doesn't own any files). A better practice is to create on user account per daemon, and have it own only the files it requires to write to.
*) -- MARK -- is a generic placeholder put there every n amount of time (the default is 20 minutes.. man syslogd for more information).
*) DENY and REJECT act slightly differently. If you are going to utterly blackhole a machine, or simply want to eat packets coming in, DENY is the option you want. REJECT simply sends back a connection refused packet (for TCP, UDP and other protocols have slighty different packets). If you're going to be filtering TCP ports, use REJECT -- DENY will show up as 'filtered' on nmap and any other quality scanner which notes the lack of a reply packet (despite the host being up).
*) OpenBSD is an audited branch of the BSD family tree. This code can trace its lineage back to the original UNIX code. For many people, it's a great replacement for Linux on their firewalls because it's simple to setup, and secure out of the box. If you require SMP, or are going to be doing things like high volume web traffic, you may want to review the performance of it vs. Linux, or combine them via firewall + proxy network setup.
If you have any other questions, head to #kuro5hin on slashnet (or irc.kuro5hin.org if you don't know what slashnet is
--
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Frankly unsecured boxes should be tagged as tools for aiding and abetting crackers.
By the way, "bent-up security 'focus'"...
What your fingers are going to fall off typing a login/password pair?
The message on the other side of this sig is false.
It's also easy to further lock down - it's straightforward to block any TCP or UDP port or even protocol you choose (without additional software).
What took them so long? There's no bloody difference between filling out a form and commenting lines in inetd.conf as well as firewall config files.
The message on the other side of this sig is false.
Isn't this more of a server concern? I mean, even if my system was "compromised" (the official-sounding wording in the FAQ) why would I truly care? There is nothing on my system that denotes anything that would need to be truly secure (just some personal writing), and if things were deleted I keep regular backups. Privacy is not a concern (I keep no credit card or checkbook numbers on my box).
Most crackers probably aren't interested at all in your private stuff, except perhaps your ISP data (login, password) so they can use your account to get on the net. The thing crackers are interested in is your box itself as a base for further attacks. A cracker with root access can easily manipulate your log files, so when an attack is traced back to your box, you have no proof that it wasn't you who broke in that government machine and downloaded top secret information...
All-in-all, would I even need security if there wasn't the internet? If the machine was just sitting in my room and the only thing that could "attack it" is a 12-year old brother with a misladen hockey stick? Probably not. Sometimes I think this whole bent-up security "focus" of computer hackers comes from their own inherent distrust and annoyance psychologically with the rest of the world.
If you have no net connection and no private data on the machine, security would't be much of an issue. But with an internet connection security simply has to be considered. If you live in a peaceful neighborhood with none or just a few break-ins a year, you probably would't care too much for a state-of-the-art alarm system. Now consider that some unknown guy from somewhere far away develops the Burgle-O-Matic(tm) which can ransack 1000 homes per minute, is operated from a safe haven outside your reach and is available for free to anyone who manages to find it. It also ruins your door even if it can't break in, and you can expect it to come around every other day. Would you just buy a wagonload of new doors every month, or would you rather install a Break-O-Burgle (Guaranteed To Stop Any Brand Of Burgle-O-Matic(tm) At Least Ten Yards Before Your Door)(tm)?
--
Cthulhu fhtagn!
I know that spelling criticisms are a low blow. But I love this sentence from section 3.7 of his FAQ:
"There seems to be a widespread, but fellatious, belief that denying incoming pings will render your host invisible to the outside world."
Do you need special hardware for that belief?
Q:How many libertarians does it take to stop a Panzer division? A:None. Obviously market forces will take care of it.
In environment that uses dhcp this is not easily done if you dont know what you are doing. First, when the firewall script starts, how do you know what your ip address is and thus, how do you know what kind of rules you wish to set if you are using ip based blocking ( not really sure if one can block packets from certain eth-adapter not just the ip address ). In such case, user has two possibilities.
(btw, im using the unsecure way, im not *that* paranoid)
Also, the faq titled one of te windows ssh clients wrong. Its Tera Term not Terra Term ;) Anyway, it is *superb* vt emulator for windows. Wouldnt want to live without it + its free and comes with the source. (ssh comes as a plugin and im not familiar if it comes with source too)
--
yush
I know why. It's because the author hasn't bothered to format his FAQ according to the standard, nor has he bothered to get it approved for posting to news.answers et al.
This link tells you what you need to know to know to get a Usenet FAQ document posted to news.answers.
-Gerard
Ignoring the rest of your troll post (and I hope you're trolling...if not your ego needs to be wacked with a reality stick) you brought up a common misconception
There are no processes running as servers because it's a default Win2K Professional box.Like its predecessor, Win2kPro installs with peer-to-peer networking (read shares) enabled by default -> the Server service is set to automatic startup. RPC and Remote Registry service are also ON by default. If they're listening, they're hackable
"Hatred is the coward's revenge for being intimidated"
of the Security FAQ? The way the intro is written it's as if there are many versions.?!? I read over it and it seemed pretty good.
(I'm a relatively new Linux user and probably speak from a largely Windows background).
This FAQ looks a very good start....Writing a FAQ is extremely time consuming (I know, I've written the PGP DH vs PGP RSA FAQ) and this FAQ is a good foundation to build upon. It largely follows the content of the (also excellent....) book Maximum Linux Security by Anon.
Anyway, I'd like the FAQ to be expanded with:
"Mary had a crypto key, she kept it in escrow, and everything that Mary said, the Feds were sure to know."
Morning Troll );, but in any case OpenBSD is more secure out of the box than most Linux distros this is true but trust me I have seen some *BSD boxes that are wide open (we are talking winders open here) this is because people think that they have OpenBSD and they are safe they then go ahead add a slew of ports and open up all kinds of stuff. The simple fact is while it might be harder to secure a initial install of most Linux distros (Debian is quite easy if you want to be security minded when you first install and you have host security as a goal) most of them can be made almost as secure as a OpenBSD box and of course if you would rather use that then *BSD (and I can think of several places where I would) then it is important to know how. The thing I do agree with you on is reading about why OpenBSD is so secure by default and understanding the thought process behind it can *really* help in securing your Linux boxen. In short winders is the enemy *BSD and Linux can and do live very well together. So get over it and lets all have some fun. :)
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
whoops, I guess my html didn't work properly, because the URL didn't come out for that FAQ©:
U NI X_Linux_ect/comp©security©unix_and_comp©security©m isc_FAQ©txt
http://cognosco©datablocks©net/txt/OS_Specific/
--
Cognosco: To examine, enquire, learn
Cognosco: To examine, enquire, learn
http://cognosco©datablocks©net
There are no processes running as servers because it's a default Win2K Professional box. There is noone scanning my ports because I have set up a cheap version of ZoneAlarm (for my own benefit, to make sure my brothers and sisters aren't browsing to weird websites when I'm home for college).
All-in-all, would I even need security if there wasn't the internet? If the machine was just sitting in my room and the only thing that could "attack it" is a 12-year old brother with a misladen hockey stick? Probably not. Sometimes I think this whole bent-up security "focus" of computer hackers comes from their own inherent distrust and annoyance psychologically with the rest of the world.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
Excellent questions (Except for the last one). Several will likely make it into the next revision. I'll have to restrain myself from telling people that "mark" has hacked their computer, and left his calling card.
I AM a two-bit Kansis City whore! I'm here, I'm reading, I'm even damned well replying, what more can you ask for? Bl00d ? I Read at +2!
This space for rent.
Do you need special hardware for that belief?
The special hardware comes standard on some humans. Others can have it installed, but only at considerable expense (and the old hardware has to be deinstalled permanently). Most fellatious believers will tell you, however, that the conversion is probably WELL worth it.
--
MailOne
Non-meta-modded "Overrated" mods are killing Slashdot
(Hey Ryan! Here's your proof!)
No?