Re: Disabling netstat

To: Markus Kolb <debian@tower-net.de>
Cc: debian-security@lists.debian.org
Subject: Re: Disabling netstat
From: Tim Nicholas <tim@nicholas.net.nz>
Date: Tue, 22 Apr 2003 02:10:59 +1200
Message-id: <[🔎] 20030421141059.GB7725@nicholas.net.nz>
Mail-followup-to: Tim Nicholas <tim@nicholas.net.nz>, Markus Kolb <debian@tower-net.de>, debian-security@lists.debian.org
In-reply-to: <[🔎] 3EA3E5F6.7000002@tower-net.de>
References: <[🔎] 20030420130651.GA4359@mcgroarty.net> <[🔎] 0304210152380.-1073758512@somehost> <[🔎] 20030421000141.GA24079@mcgroarty.net> <[🔎] 3EA3E5F6.7000002@tower-net.de>

Hello, 
nmap wont tell you the same information as netstat. netstat will say
what connections are in place between the localhost and remote
hosts, and what state they are in. It'll also tell you what ports 
there are servers listening on. That's somthing that nmap could tell
you, but that's very public information anyway.

This is really a matter of limiting the extent to which you are
forced to trust the other users of a system.  The example of
restricting netstat seems to be about not allowing other users to
know what network nodes are being communicated with because it could
be considered personal information. Just as userA shouldn't be able
to see who userB has been emailing.

Thats my 2c anyway.

Tim

On Mon, Apr 21, 2003 at 02:37:10PM +0200, Markus Kolb wrote:
> Brian McGroarty wrote:
> 
> >This sure seems kind of silly... why add all these things into Big
> >Giant Namespace and not honor all of the conventions of the same? I
> >think /proc/* not supporting chmod changes for the duration of a
> >system's uptime could be classified as a bug or a major design
> >flaw. :/
> 
> I say it's the 2nd. It was never the idea in Linux to limit the basic 
> system tools to a few users only.
> Of course it is possible. Perhaps it would be a good idea to implement 
> such security in one of the next kernel versions.
> Many kernel hackers will call it security by obscurity.
> With a correct installation and setup there is no problem when normal 
> users can get information out of procfs.
> Especially disabling netstat with procfs is not the best idea. There are 
> possibilities to get much information without procfs. In my thoughts are 
> utilities like nmap.
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact 
> listmaster@lists.debian.org
> 
> 

-- 
Tim Nicholas                          ||              ICQ# 15869961
Email: tim@nicholas.net.nz            ||   Cell/SMS: +64 21 337 204
http://tim.nicholas.net.nz/           ||    Wellington, New Zealand
"Sir, I think you have a problem with your brain being missing."

Reply to:

References:
- Disabling netstat
  - From: Brian McGroarty <brian@mcgroarty.net>
- Re: Disabling netstat
  - From: Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com>
- Re: Disabling netstat
  - From: Brian McGroarty <brian@mcgroarty.net>
- Re: Disabling netstat
  - From: Markus Kolb <debian@tower-net.de>

Prev by Date: Re: Disabling netstat
Next by Date: grsec patch over debian 2.4.20 kernel
Previous by thread: Re: Disabling netstat
Next by thread: grsec patch over debian 2.4.20 kernel
Index(es):
- Date
- Thread