Actually, this thread was about security for the 'average' user.
Well, if you get off on having your home machine secure enough, in your own opinion, to have top secret data on it then I'm very happy for you. Top secret data HAS to be secure, b/c by nature top secret data will want to be had.. I don't think people are going to spend weeks trying to break into my box, especially when I can reload the thing in an hour or so...
First of all, relax. There's no need to be so defensive. Nobody's saying that your favorite OS sucks!:) A compliment for OpenBSD is not (necessarily) a criticism of Linux. I just think that people are way too paranoid. Patch your box and disable unneeded services. If you're using a Unix box to begin with, surely this isn't alot to ask. This is more than enough to keep script kiddies at bay. If you are worried about ppl who aren't script kiddies breaking into your box, you should ask yourself, "Why would this person take the time to break into MY box?" I can assure you, if it's patched and you have unnecessary services running, if they can even get in, it'll be hell to do it. IIRC the Linux PPC challenge was the contest for someone to break into a LinuxPPC box (IIRC). 1.) MANY people had a big incentive (a new computer) to break in, and it took a very LONG time, and this is with constant bombardment! 2.) They had telnet running (no sshd). 3.) They gave out the root password. Now, I ask you WHY does the average user need more security than that! And the only way the guy got in was some CGI crap. For the average user, web server = unnecessary service.
So, umm, this sounds like words of support for OpenBSD, because that's what OpenBSD does by default (do any Linux distributions take this approach?). It would be *a lot* of trouble to go around downgrading all of the critical network daemons on a Linux distribution to get it Actually, I was referring to using tried and true versions of softare, as in a latest-1 version of a distro. It's not alot of work to install RH 6.1 instead of 6.1+X. No matter which route you take there are tradeoffs. If you choose OpenBSD, you're choosing security over better hardware support, and basically having a more up-to-date OS.
My posts aren't pro-Linux or anti-OpenBSD. They're anti-paranoia.:)
Yeah, no shit. I have OpenSSH (patched) on my RedHat box at work. Just wanted to point out one vulnerablility with OpenBSD. Some people think OBSD is perfect. It just has less vulnerabilites than an unpatched RedHat distro. Keyword *patched*. And actually it really wasn't a troll, nitwit.
Ok, you want to know? Step 1: Run ntysysv and remove asterisks from all unnecessary services (sendmail, nfs, samba, portmapper, etc) Step 2: Comment out all services in inetd.conf Step 3: Download and install sshd. Step 4: Add sshd to inetd.conf Step 5: Add ALL: ALL to hosts.deny Step 6: Install Psionic portsentry and Logcheck. Step 7: Setup ipchains to disallow incoming connections to low ports.
Only SSHD is running, same as OBSD, and firewalling is setup. This setup is BETTER than the default OBSD, for this system will TELL YOU when you're getting probed/attacked, if they get past the firewall that is. Since this setup is for Linux, I get security AND all get to use all my favorite hardware (TNT2, onboard audio for my K7M, etc).
As you can see, this setup is for people who know a little about what they are doing. I guess if you know nothing about security, OBSD is for you.
There is no real necessity for telnetd any longer. Unforunately some of us administer older boxes that don't come with ssh. Until these machines go away, there is still a need for telnet.
On the other hand, a friend just told me how his Linux machine got rooted in seconds after he started his ftpd. Maybe having a cable modem can be a problem. Yeah, Redhat is SO insecure that when you start it's ftp server, it TELLS people that it's up and it's vulnerable. Yeah. I don't think it's his distro's fault, I'd say it was his ignorance of networking and his OS.
I'll be the first to tell someone that Linux, and any other Unixes for that matter, are not for the faint-of-heart. It's not ready for the desktop. It's a multi-user OS and by running the system you should be aware of what could/does happen.
I guess most of the web gets hacked daily, for a large % of servers are running Linux and Apache. So many anon. ftp servers on Linux.. I'm surprised any sites that run a web server other than OpenBSD are up at all! Hehe. I just find it hard to believe that so many people posting security stuff here know more about sites such as Sourceforge, who are CRAZY enough to run Linux, and anon. ftp. They will probably be hacked any minute.:)
I prefer Linux over OpenBSD b/c it's the most usable OS. Personally I like the support Linux has, and the positive momentum it has. While OpenBSD ppl are looking for non-existant buffer overflows, Linux developers are adding support for current hardware. Since I can't write device drivers, they do that, and since securing a box is trivial, I do that. I like the fact that my video card works, the sound works, and it runs the most current programs natively (IE No Emulation). Linux is moving forward, and at a very fast rate. BTW, it's so unbelievably easy to disable all services and add sshd.
Agreed. No, a firewall doesn't hurt at all. If you don't know anything about services, etc, how can you know anything about correctly configuring a firewall? I am fully aware of the 1 connection, multi user scene, for I used to have IPMASQ setup so my girlfriend could surf while I played.
I think, based on personal experience, that firewalling your home machine is a bit too much, UNLESS you have mission critical stuff on your box and you don't backup. If you're already setting something up and you decide 'while setting up masq..' then cool. I just think it's funny when people act like before OpenBSD there was no way in hell they could sleep at night b/c they are worried about getting rooted. I just think it would be HIGHLY unlikely that someone that has taken all the precautions to secure their box would get cracked. If you have a firewall, better yet. THe bottom line, however, is if they person wanting your box is good enough to get around wrappers and knows of exploits that aren't documented, firewall or no, they can probably have your box.
Public Enemy #1: Script Kiddies Easily defeated by patching KNOWN vulnerabilies, wrappers, etc.
And exactly how big of a problem is Linux's source code, or any of RedHat 6.X's services source? Obviously not as bad as some of you make it out to be. How many times a week do you hear of people's boxes being rooted b/c somebody read Linux's source code, found a hole, and exploited a machine? Not everyone is as eleet as you and reads source code and finds buffer overflows in services(sarcasm) nightly.
This attitude reminds me of people who are afraid to fly b/c they don't want to crash... The chances of you actually being in a crash is almost nil. We will always have paranoid people though, who will not fly, and we will always have lamers speaking of incidents that they have only heard about.
Services like sendmail and apache have been around for a LONG time, and many vulnerabilities have been discovered, and fixed. If you are paranoid, use the oldest version that doesn't have known vulnerabilities. They (OS service developers) don't brag about formal 'line-by-line' autids of their sofware, but just because they don't have 'audits' doesn't mean that they lag behind on security. What mail service comes with OpenBSD? Surely they write their own, b/c Sendmail doesn't have 'security audits' of their code.
I can see the OpenBSD argument coming from an experienced admin who has can't keep crackers off his system, but it's coming from (mostly) people who use Unix as a hobby or for fun. Would an experienced admin who has had a box broken into (who will actually admit it) say something? I use Linux at work and take security very seriously. I can assure you, security is a MAJOR concern, but is not a problem.
I am a unix admin, and I can assure you that RedHat, Wrappers, and a few other tools do just fine 99% of the time (Yes, I hear you anals saying BUT..). I have yet to encounter the other 1%. If I had top secret data on my servers, I probably would be more paranoid about the other 1%, but I don't.
If you think OpenBSD has no vulnerabilities, you should go to http://www.securityfocus.com/vdb/bottom.html?vid=1 006
Oh, so do the script kiddies write their own buffer overflows or something? Have one of your boxes ever been hacked? Do you how wrappers works? Do you know how spoofing works? JUST disabling unneeded services will totally cut off any potential exploits for those services (finger, etc). Wrapping telnet will keep anyone from getting a login prompt. What's left? Basically nothing a script kiddie can use. You obviously know nothing about security, and you probably believe in every conspiracy theory you hear. Scripts are very noisy, and are easily spotted. The only people I worry about are the ones who don't use scripts, and I'm sure they have bigger fish to fry than my home machine running Linux.
And yes, I know what spoofing IP's entails. So, how many successful scripts have you run against wrappered, unexploitable services? I bet you are baseing what you said on stuff you have heard/read, and not on personal experience.
There are less RedHat vulnerablity notices on Bugtraq than just about any *nix out there. By default, any other Unix out there cannot even connect to an OpenBSD box, b/c ssh isn't standard. FTP? HA! This is lack of funcionality. Securing a box is NOT a difficult task. If you think it is, then you should use Windows or MacOS exclusivly, and Unix has too much power/flexibility for you. I am glad they created a free implementation of SSH, but I can install that on Linux too.
At least in Linux i have the choice to make it Ultra-anal (yes,anal) secure. I don't like the idea of not having a choice (OpenBSD) in the matter.
I find it amusing that so many people thing that firewalling is the answer. It's like people are totally oblivious to the fact that they have services running that they don't need and they know nothing about Wrappers. Firewalling is good for corporations who want to ensure their mission-critical data is as safe as possible. Personally, the only data I really need of my HD is my bookmarks and maybe a few files. Script kiddies will not get past a system that has all unused services off, and Wrappers set up. Ok, so there are some people who can actually spot a vulnerability and MAYBE get around the wrapper, but the chances of that happening are about as good as yours are to get struck by lightening. And why would someone who is NOT a script kiddie waste time on your box? That whole 'have to have a firewall' issue is somewhat egotistical.
Slashdot Mirror
What's unfortunate is people will still buy Celerons b/c it has Intel on the chip.. :(
It's kinda like the Tommy Hilfiger thing.
Actually, this thread was about security for the 'average' user.
Well, if you get off on having your home machine secure enough, in your own opinion, to have top secret data on it then I'm very happy for you.
Top secret data HAS to be secure, b/c by nature top secret data will want to be had.. I don't think people are going to spend weeks trying to break into my box, especially when I can reload the thing in an hour or so...
First of all, relax. There's no need to be so defensive. Nobody's saying that your favorite OS sucks! :) A compliment for OpenBSD is not (necessarily) a criticism of Linux.
:)
I just think that people are way too paranoid. Patch your box and disable unneeded services. If you're using a Unix box to begin with, surely this isn't alot to ask. This is more than enough to keep script kiddies at bay. If you are worried about ppl who aren't script kiddies breaking into your box, you should ask yourself, "Why would this person take the time to break into MY box?" I can assure you, if it's patched and you have unnecessary services running, if they can even get in, it'll be hell to do it. IIRC the Linux PPC challenge was the contest for someone to break into a LinuxPPC box (IIRC). 1.) MANY people had a big incentive (a new computer) to break in, and it took a very LONG time, and this is with constant bombardment! 2.) They had telnet running (no sshd). 3.) They gave out the root password. Now, I ask you WHY does the average user need more security than that! And the only way the guy got in was some CGI crap. For the average user, web server = unnecessary service.
So, umm, this sounds like words of support for OpenBSD, because that's what OpenBSD does by default (do any Linux distributions take this approach?). It would be *a lot* of trouble to go around downgrading all of the critical network daemons on a Linux distribution to get it
Actually, I was referring to using tried and true versions of softare, as in a latest-1 version of a distro. It's not alot of work to install RH 6.1 instead of 6.1+X.
No matter which route you take there are tradeoffs. If you choose OpenBSD, you're choosing security over better hardware support, and basically having a more up-to-date OS.
My posts aren't pro-Linux or anti-OpenBSD. They're anti-paranoia.
Yeah, no shit. I have OpenSSH (patched) on my RedHat box at work. Just wanted to point out one vulnerablility with OpenBSD. Some people think OBSD is perfect. It just has less vulnerabilites than an unpatched RedHat distro. Keyword *patched*.
And actually it really wasn't a troll, nitwit.
Ok, you want to know?
Step 1: Run ntysysv and remove asterisks from all unnecessary services (sendmail, nfs, samba, portmapper, etc)
Step 2: Comment out all services in inetd.conf
Step 3: Download and install sshd.
Step 4: Add sshd to inetd.conf
Step 5: Add ALL: ALL to hosts.deny
Step 6: Install Psionic portsentry and Logcheck.
Step 7: Setup ipchains to disallow incoming connections to low ports.
Only SSHD is running, same as OBSD, and firewalling is setup. This setup is BETTER than the default OBSD, for this system will TELL YOU when you're getting probed/attacked, if they get past the firewall that is.
Since this setup is for Linux, I get security AND all get to use all my favorite hardware (TNT2, onboard audio for my K7M, etc).
As you can see, this setup is for people who know a little about what they are doing. I guess if you know nothing about security, OBSD is for you.
There is no real necessity for telnetd any longer.
:)
Unforunately some of us administer older boxes that don't come with ssh. Until these machines go away, there is still a need for telnet.
On the other hand, a friend just told me how his Linux machine got rooted in seconds after he started his ftpd. Maybe having a cable modem can be a problem.
Yeah, Redhat is SO insecure that when you start it's ftp server, it TELLS people that it's up and it's vulnerable. Yeah. I don't think it's his distro's fault, I'd say it was his ignorance of networking and his OS.
I'll be the first to tell someone that Linux, and any other Unixes for that matter, are not for the faint-of-heart. It's not ready for the desktop. It's a multi-user OS and by running the system you should be aware of what could/does happen.
I guess most of the web gets hacked daily, for a large % of servers are running Linux and Apache. So many anon. ftp servers on Linux.. I'm surprised any sites that run a web server other than OpenBSD are up at all! Hehe. I just find it hard to believe that so many people posting security stuff here know more about sites such as Sourceforge, who are CRAZY enough to run Linux, and anon. ftp. They will probably be hacked any minute.
I prefer Linux over OpenBSD b/c it's the most usable OS. Personally I like the support Linux has, and the positive momentum it has. While OpenBSD ppl are looking for non-existant buffer overflows, Linux developers are adding support for current hardware. Since I can't write device drivers, they do that, and since securing a box is trivial, I do that.
I like the fact that my video card works, the sound works, and it runs the most current programs natively (IE No Emulation). Linux is moving forward, and at a very fast rate. BTW, it's so unbelievably easy to disable all services and add sshd.
Agreed. No, a firewall doesn't hurt at all. If you don't know anything about services, etc, how can you know anything about correctly configuring a firewall? I am fully aware of the 1 connection, multi user scene, for I used to have IPMASQ setup so my girlfriend could surf while I played.
I think, based on personal experience, that firewalling your home machine is a bit too much, UNLESS you have mission critical stuff on your box and you don't backup. If you're already setting something up and you decide 'while setting up masq..' then cool. I just think it's funny when people act like before OpenBSD there was no way in hell they could sleep at night b/c they are worried about getting rooted. I just think it would be HIGHLY unlikely that someone that has taken all the precautions to secure their box would get cracked. If you have a firewall, better yet. THe bottom line, however, is if they person wanting your box is good enough to get around wrappers and knows of exploits that aren't documented, firewall or no, they can probably have your box.
Public Enemy #1: Script Kiddies
Easily defeated by patching KNOWN vulnerabilies, wrappers, etc.
And exactly how big of a problem is Linux's source code, or any of RedHat 6.X's services source? Obviously not as bad as some of you make it out to be. How many times a week do you hear of people's boxes being rooted b/c somebody read Linux's source code, found a hole, and exploited a machine? Not everyone is as eleet as you and reads source code and finds buffer overflows in services(sarcasm) nightly.
1 006
This attitude reminds me of people who are afraid to fly b/c they don't want to crash... The chances of you actually being in a crash is almost nil. We will always have paranoid people though, who will not fly, and we will always have lamers speaking of incidents that they have only heard about.
Services like sendmail and apache have been around for a LONG time, and many vulnerabilities have been discovered, and fixed. If you are paranoid, use the oldest version that doesn't have known vulnerabilities. They (OS service developers) don't brag about formal 'line-by-line' autids of their sofware, but just because they don't have 'audits' doesn't mean that they lag behind on security. What mail service comes with OpenBSD? Surely they write their own, b/c Sendmail doesn't have 'security audits' of their code.
I can see the OpenBSD argument coming from an experienced admin who has can't keep crackers off his system, but it's coming from (mostly) people who use Unix as a hobby or for fun. Would an experienced admin who has had a box broken into (who will actually admit it) say something? I use Linux at work and take security very seriously. I can assure you, security is a MAJOR concern, but is not a problem.
I am a unix admin, and I can assure you that RedHat, Wrappers, and a few other tools do just fine 99% of the time (Yes, I hear you anals saying BUT..). I have yet to encounter the other 1%. If I had top secret data on my servers, I probably would be more paranoid about the other 1%, but I don't.
If you think OpenBSD has no vulnerabilities, you should go to
http://www.securityfocus.com/vdb/bottom.html?vid=
Or am I just trolling?
Oh, so do the script kiddies write their own buffer overflows or something?
Have one of your boxes ever been hacked?
Do you how wrappers works? Do you know how spoofing works? JUST disabling unneeded services will totally cut off any potential exploits for those services (finger, etc). Wrapping telnet will keep anyone from getting a login prompt.
What's left? Basically nothing a script kiddie can use. You obviously know nothing about security, and you probably believe in every conspiracy theory you hear.
Scripts are very noisy, and are easily spotted. The only people I worry about are the ones who don't use scripts, and I'm sure they have bigger fish to fry than my home machine running Linux.
And yes, I know what spoofing IP's entails.
So, how many successful scripts have you run against wrappered, unexploitable services? I bet you are baseing what you said on stuff you have heard/read, and not on personal experience.
There are less RedHat vulnerablity notices on Bugtraq than just about any *nix out there.
By default, any other Unix out there cannot even connect to an OpenBSD box, b/c ssh isn't standard. FTP? HA! This is lack of funcionality.
Securing a box is NOT a difficult task. If you think it is, then you should use Windows or MacOS exclusivly, and Unix has too much power/flexibility for you. I am glad they created a free implementation of SSH, but I can install that on Linux too.
At least in Linux i have the choice to make it Ultra-anal (yes,anal) secure. I don't like the idea of not having a choice (OpenBSD) in the matter.
I find it amusing that so many people thing that firewalling is the answer.
:)
It's like people are totally oblivious to the fact that they have services running that they don't need and they know nothing about Wrappers. Firewalling is good for corporations who want to ensure their mission-critical data is as safe as possible. Personally, the only data I really need of my HD is my bookmarks and maybe a few files.
Script kiddies will not get past a system that has all unused services off, and Wrappers set up. Ok, so there are some people who can actually spot a vulnerability and MAYBE get around the wrapper, but the chances of that happening are about as good as yours are to get struck by lightening.
And why would someone who is NOT a script kiddie waste time on your box? That whole 'have to have a firewall' issue is somewhat egotistical.
Or am I just trolling?