From owner-securedistros@humbolt.geo.uu.nl Sun Sep 12 18:25:55 1999 Received: by humbolt.nl.linux.org id ; Sun, 12 Sep 1999 18:24:35 +0200 Received: from [195.98.31.153] ([195.98.31.153]:35593 "EHLO core.telnet.sk" smtp-auth: ) by humbolt.nl.linux.org with ESMTP id ; Sun, 12 Sep 1999 18:24:03 +0200 Received: from pobox.sk (core.telnet.sk [195.98.31.153]) by core.telnet.sk (8.9.3/8.9.3) with ESMTP id SAA12914; Sun, 12 Sep 1999 18:22:49 +0200 Message-ID: <37DBD358.48E4B945@pobox.sk> Date: Sun, 12 Sep 1999 18:22:48 +0200 From: Matej Kovac X-Mailer: Mozilla 4.6 [en] (X11; I; Linux 2.2.5-22 i586) X-Accept-Language: sk, en-US, en MIME-Version: 1.0 To: securedistros@humbolt.geo.uu.nl CC: "Dr. Joel M. Hoffman" Subject: Re: Disabling everything References: Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 7bit Sender: owner-securedistros@humbolt.geo.uu.nl Precedence: bulk Reply-To: securedistros@humbolt.geo.uu.nl Return-Path: X-Orcpt: rfc822;securedistros-list Hi all, this mail was sent to Bugtraq recently. I believe this list is better place to reply. I'm CC'ing this reply to the original poster too. "Dr. Joel M. Hoffman" wrote: > Truth is, I'm getting a bit worried about the general approach to > security, which is becoming "disable everything from the outside." I > think we should focus on making these remote protocols safe, rather > than disabling them. > > Ping is very useful. So is finger. So too are lots of other remote > functions that are increasingly blocked. The most dangerous problem when server is running the finger daemon is that possible attacker can find out user names, idle times of logged in users and perhaps places from where they use to login. Having an option to finger daemon not to show these information, this service may be enabled withou any security risks. For example, fingerd migth be told not to show idle times for all machines over the world but the internal network (or it can be told not to show this at all). Or it can require a user name when invoked. And it does not have to respond to requests quering information about users like nobody or ftp. For user root it can issue a telephone/pager number but not the forwarding-email address if root does not uses an alias for his mail... > > Is there really no way to make these secure? Or are we just taking > the easy way out? > These issues were finger-related (is fingerd maintainer here??), they does not address buffer overflows in daemons (more programs you have enabled makes bigger chance there are some buggy implementations that might get your server to panic (or even worse - open a way to an attecker)). Perhaps there are more services that are disabled in certain distributions, but after propper configuration or aplying security patches they can be enabled... Note please that I do not use finger at all (it's dangerous, isn't it??:-), so if some of the above features are already available, don't kick me :-) -- Matej Kovac matej@pobox.sk - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/ From owner-securedistros@humbolt.geo.uu.nl Mon Sep 13 13:53:59 1999 Received: by humbolt.nl.linux.org id ; Mon, 13 Sep 1999 13:52:30 +0200 Received: from crufty.research.bell-labs.com ([204.178.16.49]:47446 "HELO crufty.research.bell-labs.com" smtp-auth: ) by humbolt.nl.linux.org with SMTP id ; Mon, 13 Sep 1999 13:52:04 +0200 Received: from grubby.research.bell-labs.com ([135.104.2.9]) by crufty; Mon Sep 13 07:50:07 EDT 1999 Received: from p.cheswick.com ([135.104.9.157]) by grubby; Mon Sep 13 07:50:06 EDT 1999 Message-Id: <3.0.6.32.19990913074812.008fa9c0@135.104.9.2> X-Sender: ches@135.104.9.2 X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.6 (32) Date: Mon, 13 Sep 1999 07:48:12 -0400 To: securedistros@humbolt.geo.uu.nl From: Bill Cheswick Subject: Re: Disabling everything Cc: "Dr. Joel M. Hoffman" In-Reply-To: <37DBD358.48E4B945@pobox.sk> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-securedistros@humbolt.geo.uu.nl Precedence: bulk Reply-To: securedistros@humbolt.geo.uu.nl Return-Path: X-Orcpt: rfc822;securedistros-list >> Truth is, I'm getting a bit worried about the general approach to >> security, which is becoming "disable everything from the outside." I >> think we should focus on making these remote protocols safe, rather >> than disabling them. A noble effort, but mostly it has proved nearly impossible. It is simply very hard to write bug-free, and therefore secure, code. Most people fail, including Very Smart Security people. We have three choices here: don't run the server, run the server jailed in a chroot environment (and, I hope, with other capabilities restricted), or let the server run without protection, and hope the multiuser system can defend itself. I have given up on this last option. People often write servers running as root, when the server doesn't need it. Even if they don't, I've decided that it is a lost cause keeping a normal user from becoming root. Most systems generally have 50-70 programs setuid to root, and that's at least an order of magnitude too many. Therefore, I head them off at the network services pass. My hosts typically run ssh, ntp, and nothing else. ches - Securedistros: A common list for all secured Linux distributions Archive: http://humbolt.nl.linux.org/lists/