drewpc at colorado.edu
Tue Aug 1 18:11:57 MDT 2000
Thus spake Michael J. Pedersen on Tuesday, August 01, 2000, 11:43:09 AM:
MJP> I probably shouldn't reply to this, but I'm going to, mainly because it is
MJP> possible to have a secure linux box on the internet, in my opinion.
I totally agree.
MJP> On Tue, Aug 01, 2000 at 12:27:23AM -0600, PC Drew wrote:
>> For all those who have or want cable modems or DSL, you should look
>> into using the Linksys BEFSR41 firewall instead of a computer. Yeah,
>> it's a lot of fun to play around with Linux firewalling and such, but
>> if you want something that firewalls, does DHCP, NAT, port forwarding,
>> etc. for your network AND has a 4-port switch in it for only
>> $160...this is your product!
MJP> All of which is available via open source solutions (ie: GPL'ed most, if not
MJP> all, of that), which means that I don't have a need to fork out the $160 which
MJP> you are saying I should.
Very true. The software versions of DHCP, NAT, etc are very good at
what they do. I'm not knocking them!
>> No, this isn't an advertisement for Linksys. I just cringe when I
>> hear about people using their linux machines to do lots of packet
>> filtering that is unnecessary.
MJP> Except for one detail in my case: I'm doing lots of packet filtering that,
MJP> while it may not be necessary, is good to have done. The Linux machine is my
MJP> gateway and firewall. I'd prefer to have the firewall happening their, for
MJP> other reasons due to my setup (I'll disclose the full setup if so desired).
It shouldn't be done anywhere else!
MJP> As for my packet filtering, I'm basically dropping everything from udp, tcp,
MJP> and icmp that I don't totally need to have available. And the stuff I DO have
MJP> available never sees unencrypted passwords gets sent. So, hacking my box will
MJP> require something like either a buffer overflow, or the infamous ping of death
MJP> coming back. No, I'm not susceptible to it, but that doesn't change the fact
MJP> that those are the only two methods to gain access. Unless I write a
MJP> particularly bad cgi script somewhere along the way.
>> Also, if you think for a second that hooking your cable modem directly
>> into your computer is safe, think again. You've just put your
>> computer straight on the Internet for script kiddies to beat the crap
>> out of.
MJP> You're right, of course. But, you forgot something: Dialing into the internet
MJP> on a linux box is also unsafe. Same for dialing in with a Windows box, Solaris
MJP> box, and every other type of box. If even one service is offered by your
MJP> machine, no matter how obscure, you are open to attack. And, in my mind,
MJP> responding to a ping is technically a service your machine offers.
I didn't forget that. It's more likely, however, that someone with a
static IP address and an "always on" connection will be attacked than
a person who is dialing up and getting a DHCP address.
MJP> Security is always about what are you doing to protect yourself, AND how much
MJP> risk is acceptable for what you have. Am I immune from attack? No, of course
MJP> not. To believe that I am would be silly. Am I relatively safe from attack?
MJP> Considering the following, yes I am:
MJP> * I have a lot of hard drive space. Mailbombing me would require a large waste
MJP> of time on the part of the attacker to do any damage at all, and even then,
MJP> due to partitioning schemes, my box would not be taken down. I would only
MJP> have to deal with one bad mailbox, and email comes right back up.
MJP> * I don't offer a lot of services. The ones that I do offer, I'm very
MJP> restrictive on. My biggest weakness? sendmail. And that's just because I'm
MJP> more comfortable with sendmail than with the others out there. I ONLY allow
MJP> secure shell connections for machine level access (ie: telnet and ftp are
MJP> completely removed from my machine and inaccessible). Even though Apache is
MJP> being run, there's not any cgi's going on (except for a custom counter I
MJP> wrote, which has a known weakness I'll be fixing later today. Even that
MJP> weakness isn't so bad, though, as it only has a race condition on it).
great! Another SSH user!
MJP> * I firewall away everything that I don't like. I'm even annoying to myself,
MJP> in that I have to use passive ftp anywhere due to what I filter out.
MJP> * I actually monitor this machine on almost an hourly basis, seeing what can
MJP> be seen in the logs. In addition, I keep up with the latest exploits, and
MJP> keep my software updated as needed to prevent and to patch
MJP> security holes.
great! Unfortunately most people aren't as pro-active as you are
MJP> Am I immune to attack? No, not by a long shot. Can I recover from it? Almost
MJP> entirely (I'm still working out a better backup solution). In short, I'm doing
MJP> the things that a good sysadmin has to do to protect his box. And that's what
MJP> makes the box secure. Not whether it's commercial or not, not whether it's
MJP> open or closed source: The sysadmin. You get a bad one, and your system WILL
MJP> be cracked, and soon. I like to think I'm one of the better ones, in that I've
MJP> already seen and repelled a few attackers due to these measures.
More information about the LUG