Re: Is this mail list dead?

[Tracy R Reed <treed@ultraviolet.org>]

On Mon, Mar 12, 2001 at 09:07:41PM -0800, Crispin Cowan wrote:
> How else would you (say) enforce that only the Duly Authorized Mailserver is
> the one listening to example.com:25 ?  If anyone can bind to port 25, then
> anyone can kick the authorized mail server over (go find some DoS) and start
> your own mail server.  Repeat as necessary for various other important
> services that bind to well-known ports <1024.

How do we prevent people from binding to the web proxy port? Or the MySQL
port? Or any number of other services above 1024? We don't but this has
never posed a problem. It has long been the custom to run telnet on port
23 but the side affect of root-owned processes has cost us an awful lot.
I think it is time we changed that custom. The longer we wait the worse it
will be. I suspect far more will be lost through root exploits than will
be lost through rogue daemons. 

There are two answers:

1. Firewall off incoming traffic to unneeded ports.

2. Use public key crypto to verify that the host you are talking to really
is the correct host. This is the *right* solution IMHO. We don't make
nearly enough use of public key crypto for verifying identities. This is
the very reason it exists: to prove that the service you are talking to is
the correct one. If someone fired up their own ssh daemon on my port 22
incoming users would get a nastygram from their local ssh client when they
connected. Of course telnet and rlogin don't implement this but nobody
should be using those insecure protocols anyhow. :)

-- 
Tracy Reed      http://www.ultraviolet.org
-
Securedistros: A common list for all secured Linux distributions
Archive:       http://humbolt.nl.linux.org/lists/