[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Disabling everything

To: securedistros@humbolt.geo.uu.nl
Subject: Re: Disabling everything
From: Matej Kovac <matej@pobox.sk>
Date: Sun, 12 Sep 1999 18:22:48 +0200
CC: "Dr. Joel M. Hoffman" <joel@EXC.COM>
References: <m11P3A9-000369C@jmh>
Reply-To: securedistros@humbolt.geo.uu.nl
Sender: owner-securedistros@humbolt.geo.uu.nl

Hi all,

this mail was sent to Bugtraq recently. I believe this list is better
place to reply.

I'm CC'ing this reply to the original poster too.

"Dr. Joel M. Hoffman" wrote:
> Truth is, I'm getting a bit worried about the general approach to
> security, which is becoming "disable everything from the outside."  I
> think we should focus on making these remote protocols safe, rather
> than disabling them.
> 
> Ping is very useful.  So is finger.  So too are lots of other remote
> functions that are increasingly blocked.

The most dangerous problem when server is running the finger daemon is
that possible attacker can find out user names, idle times of logged in
users and perhaps places from where they use to login. Having an option
to finger daemon not to show these information, this service may be
enabled withou any security risks. For example, fingerd migth be told
not to show idle times for all machines over the world but the internal
network (or it can be told not to show this at all). Or it can require a
user name when invoked. And it does not have to respond to requests
quering information about users like nobody or ftp. For user root it can
issue a telephone/pager number but not the forwarding-email address if
root does not uses an alias for his mail...

> 
> Is there really no way to make these secure?  Or are we just taking
> the easy way out?
> 
These issues were finger-related (is fingerd maintainer here??), they
does not address buffer overflows in daemons (more programs you have
enabled makes bigger chance there are some buggy implementations that
might get your server to panic (or even worse - open a way to an
attecker)). Perhaps there are more services that are disabled in certain
distributions, but after propper configuration or aplying security
patches they can be enabled...

Note please that I do not use finger at all (it's dangerous, isn't
it??:-), so if some of the above features are already available, don't
kick me :-)

-- 
Matej Kovac
matej@pobox.sk
-
Securedistros: A common list for all secured Linux distributions
Archive:       http://humbolt.nl.linux.org/lists/

Follow-Ups:
- Re: Disabling everything
  - From: Bill Cheswick <ches@bell-labs.com>

Next by Date: Re: Disabling everything
Next by thread: Re: Disabling everything
Index(es):
- Date
- Thread