[NCLUG] Network configuration

Quent quent at pobox.com
Thu Oct 26 00:54:46 MDT 2000 

Of course; exactly! There is no panacea.

If I run apache as root and someone can use CGI to get a shell, I can't
expect the kernel to prevent bloody holes from appearing in my foot :-)

It seems like most port scanning comes from boxes that have been cracked.
The owners are usually unaware.

I mentioned the stateful packet filter, ipf, but I think dynamic rules
are something more.  That would be very cool to have!

	Quent

On Wed, Oct 25, 2000 at 11:27:16PM -0700, J. Paul Reed wrote:
> On 26 Oct 2000 at 00:15:10, Quent modified my mailspool to say:
> 
> > You can build a decent, secure environment with Linux just as well
> > as you can with OpenBSD. It's just that "out of the box" OpenBSD
> > boots up in a pretty secure state.
> 
> I think it's a mistake to say this.
> 
> While you're correct that OpenBSD *does* boot up more secure than, say
> RHAT, as soon as you start using it, if you don't know what you're doing,
> then it really doesn't matter.
> 
> Case in point: someone was port scanning me via their cable modem on my
> cable modem segment the other night; so, I returned the favor, and found
> out they were running OpenBSD. BUT, because they had misconfigured Apache,
> I had their home telephone number/address and personal email addy within
> about five minutes of poking around on their "secure" OpenBSD box.
> 
> So, don't fall into that panacea.
> 
> BTW, someone mentioned BSD's dynamic firewall rules, which open/close TCP
> stuff when you open a connection... I've heard that the 2.4 kernel supports
> this... that's what one of the presentations is on for SYM.
> 
> Later,
> Paul
>   -----------------------------------------------------------------------
>   J. Paul Reed                 preed at sigkill.com || web.sigkill.com/preed
>   We're living in a world that's blowing itself to hell as fast as every-
>   one can arrange it.       -- First Sgt. Edward Welsh, The Thin Red Line
> _______________________________________________
> NCLUG mailing list
> NCLUG at nclug.org
> http://www.nclug.org/mailman/listinfo/nclug
> 
>

More information about the NCLUG mailing list