[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FVH 2 Jan meeting topic

Quoting "Robert G. (Doc) Savage" <dsavage@peaknet.net>:

> Please elaborate. If by "secure" you mean as tight as NSA's SELinux,
> then I would agree. Ever since Red Hat began its "disabled by default"
> mode when installing most services, its relative security has been quite
> good. Certainly better than any of its competitors.

Okay.  RH boxes may not be as tight as the NSA's distribution, but I'm talking
strictly stock installs.  And, uh, Debian is a hell of a lot more secure than RH
when it comes to stock installs ;)

Slap the installation media into the drive.
Perform an install.
Mash the 'next' button a few times.
Wait for things to copy over.
Reboot the machine.
'Nuff said.

> This is not to say that Red Hat is invulnerable, or can't be installed
> badly. I can tell you that a primary DNS server I installed at a client
> site has survived more than two years of constant, determined attempts
> by hackers from Canada, France, Germany, Russia, and many other places.
> It's running RH7.1 and is NOT protected by a firewall. It WAS set up by
> an RHCE (moi) who knows what he's doing.

Yeah, but not everybody has an RHCE on hand to lock things down.

Now, define firewall here.  If you mean a hardware firewall, I can believe it. 
Just feed some rules through iptables and away you go.  If otherwise, I'd have
to think that the DNS running on that box is secure, which is most likely not
the case if it's BIND8.  In BIND9, they at least fixed *some* of the
vulnerabilities, but not all: my friend's nameserver was recently rooted because
of some attack against his FreeBSD box running BIND9.  And, finally, djbdns, as
far as I know, isn't vulnerable to much of anything.

> When you say you've seen RH boxes cracked into overnight, you really
> should explain what unusual access made this possible. For example, were
> they protected by firewalls as most non-trivial networks are? If not,

Actually, no.  They were left out on the Big Bad Internet with external IPv4
addresses and everything.  No firewalling, no hardening.  Stock installs all around.

> were they "fruit baskets" with every possible RPM installed? Were their
> local consoles accessible? What services were installed and enabled?

They weren't loaded with every imaginable RPM, no.  And, no, their consoles
weren't accessible to any extent: these were truly headless boxes with stock
installs plus Apache.

They had all of the stock crap enabled, plus Apache.  I don't remember the
details (pity I don't have the logs anymore...), but it was cracked into at
4-something in the morning, and I got there at 7:15am to find a machine that was
packeting other hosts on the Internet.

I am, more or less, trying to point out that RedHat is actually a *bad* choice
for those independent little organizations that're wanting to move over to one
of the free Unices, but don't have an IT staff full of RHCE-certified techs or
someone with at least half a clue about how Unix and security work.

Grar.  I wasted a good long time on this reply.  Let it fly with grace.

Nate Reindl, silug.org's very own anarchist
"Man's a greedy fool!" -- Red Martian

To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.