Michael J. Pedersen
marvin at keepthetouch.org
Tue Aug 1 11:43:09 MDT 2000
I probably shouldn't reply to this, but I'm going to, mainly because it is
possible to have a secure linux box on the internet, in my opinion.
On Tue, Aug 01, 2000 at 12:27:23AM -0600, PC Drew wrote:
> For all those who have or want cable modems or DSL, you should look
> into using the Linksys BEFSR41 firewall instead of a computer. Yeah,
> it's a lot of fun to play around with Linux firewalling and such, but
> if you want something that firewalls, does DHCP, NAT, port forwarding,
> etc. for your network AND has a 4-port switch in it for only
> $160...this is your product!
All of which is available via open source solutions (ie: GPL'ed most, if not
all, of that), which means that I don't have a need to fork out the $160 which
you are saying I should.
> No, this isn't an advertisement for Linksys. I just cringe when I
> hear about people using their linux machines to do lots of packet
> filtering that is unnecessary.
Except for one detail in my case: I'm doing lots of packet filtering that,
while it may not be necessary, is good to have done. The Linux machine is my
gateway and firewall. I'd prefer to have the firewall happening their, for
other reasons due to my setup (I'll disclose the full setup if so desired).
As for my packet filtering, I'm basically dropping everything from udp, tcp,
and icmp that I don't totally need to have available. And the stuff I DO have
available never sees unencrypted passwords gets sent. So, hacking my box will
require something like either a buffer overflow, or the infamous ping of death
coming back. No, I'm not susceptible to it, but that doesn't change the fact
that those are the only two methods to gain access. Unless I write a
particularly bad cgi script somewhere along the way.
> Also, if you think for a second that hooking your cable modem directly
> into your computer is safe, think again. You've just put your
> computer straight on the Internet for script kiddies to beat the crap
> out of.
You're right, of course. But, you forgot something: Dialing into the internet
on a linux box is also unsafe. Same for dialing in with a Windows box, Solaris
box, and every other type of box. If even one service is offered by your
machine, no matter how obscure, you are open to attack. And, in my mind,
responding to a ping is technically a service your machine offers.
Security is always about what are you doing to protect yourself, AND how much
risk is acceptable for what you have. Am I immune from attack? No, of course
not. To believe that I am would be silly. Am I relatively safe from attack?
Considering the following, yes I am:
* I have a lot of hard drive space. Mailbombing me would require a large waste
of time on the part of the attacker to do any damage at all, and even then,
due to partitioning schemes, my box would not be taken down. I would only
have to deal with one bad mailbox, and email comes right back up.
* I don't offer a lot of services. The ones that I do offer, I'm very
restrictive on. My biggest weakness? sendmail. And that's just because I'm
more comfortable with sendmail than with the others out there. I ONLY allow
secure shell connections for machine level access (ie: telnet and ftp are
completely removed from my machine and inaccessible). Even though Apache is
being run, there's not any cgi's going on (except for a custom counter I
wrote, which has a known weakness I'll be fixing later today. Even that
weakness isn't so bad, though, as it only has a race condition on it).
* I firewall away everything that I don't like. I'm even annoying to myself,
in that I have to use passive ftp anywhere due to what I filter out.
* I actually monitor this machine on almost an hourly basis, seeing what can
be seen in the logs. In addition, I keep up with the latest exploits, and
keep my software updated as needed to prevent and to patch security holes.
Am I immune to attack? No, not by a long shot. Can I recover from it? Almost
entirely (I'm still working out a better backup solution). In short, I'm doing
the things that a good sysadmin has to do to protect his box. And that's what
makes the box secure. Not whether it's commercial or not, not whether it's
open or closed source: The sysadmin. You get a bad one, and your system WILL
be cracked, and soon. I like to think I'm one of the better ones, in that I've
already seen and repelled a few attackers due to these measures.
I guess what I'm trying to say is this: Don't slam a linux firewall on the
basis that "Since it's open source, it must be more insecure, because
everybody can beat on it." To me, at least, it doesn't make sense.
Michael J. Pedersen
Get GnuPG at http://www.gnupg.org
My GnuPG Key Fingerprint: C31C 7E90 5992 9E5E 9A02 233D D8DD 985E 4E72 4A60
My GnuPG Public Key Available At: http://www.keyserver.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 232 bytes
Desc: not available
More information about the LUG