[lug] Broadband

PC Drew drewpc at colorado.edu
Tue Aug 1 18:11:57 MDT 2000

Thus spake Michael J. Pedersen on Tuesday, August 01, 2000, 11:43:09 AM:

MJP> I probably shouldn't reply to this, but I'm going to, mainly because it is
MJP> possible to have a secure linux box on the internet, in my opinion.

I totally agree.

MJP> On Tue, Aug 01, 2000 at 12:27:23AM -0600, PC Drew wrote:
>> For all those who have or want cable modems or DSL, you should look
>> into using the Linksys BEFSR41 firewall instead of a computer.  Yeah,
>> it's a lot of fun to play around with Linux firewalling and such, but
>> if you want something that firewalls, does DHCP, NAT, port forwarding,
>> etc. for your network AND has a 4-port switch in it for only
>> $160...this is your product!

MJP> All of which is available via open source solutions (ie: GPL'ed most, if not
MJP> all, of that), which means that I don't have a need to fork out the $160 which
MJP> you are saying I should.

Very true.  The software versions of DHCP, NAT, etc are very good at
what they do.  I'm not knocking them!

>> No, this isn't an advertisement for Linksys.  I just cringe when I
>> hear about people using their linux machines to do lots of packet
>> filtering that is unnecessary.

MJP> Except for one detail in my case: I'm doing lots of packet filtering that,
MJP> while it may not be necessary, is good to have done. The Linux machine is my
MJP> gateway and firewall. I'd prefer to have the firewall happening their, for
MJP> other reasons due to my setup (I'll disclose the full setup if so desired).

It shouldn't be done anywhere else!

MJP> As for my packet filtering, I'm basically dropping everything from udp, tcp,
MJP> and icmp that I don't totally need to have available. And the stuff I DO have
MJP> available never sees unencrypted passwords gets sent. So, hacking my box will
MJP> require something like either a buffer overflow, or the infamous ping of death
MJP> coming back. No, I'm not susceptible to it, but that doesn't change the fact
MJP> that those are the only two methods to gain access. Unless I write a
MJP> particularly bad cgi script somewhere along the way.

>> Also, if you think for a second that hooking your cable modem directly
>> into your computer is safe, think again.  You've just put your
>> computer straight on the Internet for script kiddies to beat the crap
>> out of.

MJP> You're right, of course. But, you forgot something: Dialing into the internet
MJP> on a linux box is also unsafe. Same for dialing in with a Windows box, Solaris
MJP> box, and every other type of box. If even one service is offered by your
MJP> machine, no matter how obscure, you are open to attack. And, in my mind,
MJP> responding to a ping is technically a service your machine offers.

I didn't forget that.  It's more likely, however, that someone with a
static IP address and an "always on" connection will be attacked than
a person who is dialing up and getting a DHCP address.

MJP> Security is always about what are you doing to protect yourself, AND how much
MJP> risk is acceptable for what you have. Am I immune from attack? No, of course
MJP> not. To believe that I am would be silly. Am I relatively safe from attack?
MJP> Considering the following, yes I am:

MJP> * I have a lot of hard drive space. Mailbombing me would require a large waste
MJP>   of time on the part of the attacker to do any damage at all, and even then,
MJP>   due to partitioning schemes, my box would not be taken down. I would only
MJP>   have to deal with one bad mailbox, and email comes right back up.


MJP> * I don't offer a lot of services. The ones that I do offer, I'm very
MJP>   restrictive on. My biggest weakness? sendmail. And that's just because I'm
MJP>   more comfortable with sendmail than with the others out there. I ONLY allow
MJP>   secure shell connections for machine level access (ie: telnet and ftp are
MJP>   completely removed from my machine and inaccessible). Even though Apache is
MJP>   being run, there's not any cgi's going on (except for a custom counter I
MJP>   wrote, which has a known weakness I'll be fixing later today. Even that
MJP>   weakness isn't so bad, though, as it only has a race condition on it).

great!  Another SSH user!

MJP> * I firewall away everything that I don't like. I'm even annoying to myself,
MJP>   in that I have to use passive ftp anywhere due to what I filter out.


MJP> * I actually monitor this machine on almost an hourly basis, seeing what can
MJP>   be seen in the logs. In addition, I keep up with the latest exploits, and
MJP>   keep my software updated as needed to prevent and to patch
MJP> security holes.

great!  Unfortunately most people aren't as pro-active as you are
(like myself).

MJP> Am I immune to attack? No, not by a long shot. Can I recover from it? Almost
MJP> entirely (I'm still working out a better backup solution). In short, I'm doing
MJP> the things that a good sysadmin has to do to protect his box. And that's what
MJP> makes the box secure. Not whether it's commercial or not, not whether it's
MJP> open or closed source: The sysadmin. You get a bad one, and your system WILL
MJP> be cracked, and soon. I like to think I'm one of the better ones, in that I've
MJP> already seen and repelled a few attackers due to these measures.

More information about the LUG mailing list