[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: is it secure enough



Has someone gotten onto my system without my permission or knowledge?  If
they were good, I wouldn't be able to tell, but as far as I know, no

There have been two other attemps so far, they seemed to be a probing of
open TCP ports.  Probably seeing if I left netstat or something else open.
Giving no info is the best info to give.  I will not say that I have a
secure net (unless I unplug the T1 and rip out the NIC's, then pull the
power cord and snip off the end).

The question was... IS MY FIREWALL SECURE?  The answer... NO.  No firewall
is secure.  Sure you can block packets right up to the point where you don't
know what you are doing, but the guy who is smarter than you (and me) will
find a way to get in.  Thats the game we play as sys admins.

Is it smart to run any program on a Linux box trying to be a firewall, NO.
If they can get a shell login, they can at some point break in.  If they can
exploit a program or daemon you are running with a security flaw, they can
get to a shell and get in.  Imagine this, your firewall is running, user A
comes along, logs in as root to mount a disk to do whatever, and leaves the
terminal before typing EXIT.....  or user B logs in as root, stops a deamon
because they thought the mail program was hung, was off by 1 and kills the
firewall.... or user C whants to have a CGI script that he wrote in his
spare time with PERL for idiots volume 1, sets the entire system world
readable/writeable.   Security is more that ipfwadm and some cleverly copied
line from Linux journal or Boardwatch.

As for me being so harsh... well , I gotta be me!!

Paul


-----Original Message-----
From: Bruce McDonald <bruce@triph0p.dyn.ml.org>
To: Paul Farber <farber@f-tech.net>
Cc: erez@savan.com <erez@savan.com>; linux ILUG <linux-il@linux.org.il>;
linux network group <linux-net@vger.rutgers.edu>
Date: Friday, January 23, 1998 1:35 PM
Subject: Re: is it secure enough


>Paul,
>
>Why not be helpful instead of being blunt (just a euphemism for
>rudeness).   There are good reasons why folks might want to run sendmail
>on the firewall machine including the abscence of a second machine to
>run it on.
>
>As to the "screwed-up" state of Erez's setup, can you be a little
>more specific?  And what sendmail exploit are you referring to?  As to
>your rhetorical question regarding attempth crack attempts, well that is
>not what Erez asked about - but you have a point, crack detection is
>important but looking at logs (or even using ps - it could be trojanned)
>is no sure-fire way of detecting a security breach.
>
>Just a question, have you, Paul had a machine cracked?
>
>Bruce.
>
>PS.  All flames to /dev/null
>
>On Fri, 23 Jan 1998, Paul Farber wrote:
>
>> Yea, don't run all those server on a firewall......  if somebody uses a
hole
>> in sendmail to get root privileges, then your firewall is useless.  They
>> could then easily snoop around your entire mail and web sites.  A
firewall
>> must be the only program running on a Linux box to make it secure, and
>> therefore protecting the rest of your network.
>>
>> I doubt that have covered all the holes up with your firewall because you
>> have the initial set up screwed up.  So your firewall is probably useless
>> anyway.  Not trying to be harsh, just honest.  BTW, do you know what an
>> attempted crack attempt looks like by searching your logs?  Probably not.
>> Do you log all the dropped or filtered packets so you can see who or what
is
>> trying to get past?  Probably not.
>>
>> Sorry for being so blunt, but reality has just set in!
>>
>> Paul
>>
>> -----Original Message-----
>> From: Erez Doron <erez@savan.com>
>> To: linux ILUG <linux-il@linux.org.il>; linux network group
>> <linux-net@vger.rutgers.edu>
>> Date: Friday, January 23, 1998 8:36 AM
>> Subject: is it secure enough
>>
>>
>> >
>> >
>> >
>> >I've used my linux as firewall.
>> >
>> >i have one ip connected to the internet.
>> >i use ip-masq for internal computers
>> >i use ipfwadm to disable ip-spoofing
>> >i use /etc/hosts.allow & /etc/hosts.deny to allow only local computers
>> >
>> >
>> >i should menstion here, that the linux-firewall is
>> >a fully oprational machine ( i.e. mail, nfs, web, ftp , ... )
>> >
>> >the question is : is it secure enough ? are there aother things
>> >i should know of or do ?
>> >
>> >btw: i use redhat4.2, kernel 2.0.33. any need to upgrade ( to RH5.0 ? )
>> >
>> >Regards
>> >Erez.
>> >
>> >
>> >
>>
>