[NCLUG] Network configuration
Quent
quent at pobox.com
Thu Oct 26 00:54:46 MDT 2000
Of course; exactly! There is no panacea.
If I run apache as root and someone can use CGI to get a shell, I can't
expect the kernel to prevent bloody holes from appearing in my foot :-)
It seems like most port scanning comes from boxes that have been cracked.
The owners are usually unaware.
I mentioned the stateful packet filter, ipf, but I think dynamic rules
are something more. That would be very cool to have!
Quent
On Wed, Oct 25, 2000 at 11:27:16PM -0700, J. Paul Reed wrote:
> On 26 Oct 2000 at 00:15:10, Quent modified my mailspool to say:
>
> > You can build a decent, secure environment with Linux just as well
> > as you can with OpenBSD. It's just that "out of the box" OpenBSD
> > boots up in a pretty secure state.
>
> I think it's a mistake to say this.
>
> While you're correct that OpenBSD *does* boot up more secure than, say
> RHAT, as soon as you start using it, if you don't know what you're doing,
> then it really doesn't matter.
>
> Case in point: someone was port scanning me via their cable modem on my
> cable modem segment the other night; so, I returned the favor, and found
> out they were running OpenBSD. BUT, because they had misconfigured Apache,
> I had their home telephone number/address and personal email addy within
> about five minutes of poking around on their "secure" OpenBSD box.
>
> So, don't fall into that panacea.
>
> BTW, someone mentioned BSD's dynamic firewall rules, which open/close TCP
> stuff when you open a connection... I've heard that the 2.4 kernel supports
> this... that's what one of the presentations is on for SYM.
>
> Later,
> Paul
> -----------------------------------------------------------------------
> J. Paul Reed preed at sigkill.com || web.sigkill.com/preed
> We're living in a world that's blowing itself to hell as fast as every-
> one can arrange it. -- First Sgt. Edward Welsh, The Thin Red Line
> _______________________________________________
> NCLUG mailing list
> NCLUG at nclug.org
> http://www.nclug.org/mailman/listinfo/nclug
>
>
More information about the NCLUG
mailing list