[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Task-harden

Hi!

On  2 Apr, Ola Lundqvist wrote:
|  On Mon, Apr 02, 2001 at 11:58:00AM -0300, DrPablo@mail.com wrote:
|  > tatus: O
|  > Content-Length: 3877
|  > Lines: 110
|  > 
|  > Hello Ola!
|  
|  Hi
|  
|  > | I'm now packaging a task-harden package as I said in some other
|  > | thread. To make this work fine I need some help:
|  > | * What insecure versions of software that should be avoided.
|  > |   So upgrading this package can indicate if you have problems
|  > |   with a package. Yes this will create a _large_ conflicts line... :)
|  > |   Maybe I will split this to a separate package if it gets too
|  > |   complicated. But not yet...
|  > 
|  > 	Let's see: bind, timed (I guess I heard some DoS with
|  > this), slrn, inetd, identd
|  
|  Well bind is hard to replace. Someone was digging up a chrooted
|  one though.

	That would be nice. Have you consider my suggestion of adopting
SubDomain (http://www.immunix.org/subdomain.html) instead of chroot?
I've never used it, and I guess chroot is probably a most common and
known solution, but, anyway, I guess it worth a look.
  
|  timed, dos on the entire machine or just the specific service?

	I have to dig this up: BugTraq emailed me this advisory:
http://www.securityfocus.com/bid/2491 . Take a lok for yourself. Looks
like it comprimises just the time service.
  
|  slrn, isn't that a news reader? suid root or?

	I guess so! (I use nn, BTW). I remember to have an advisory
someplace. As soon as I dig this up you will be notified.

|  identd, already fixed. :)
|   
|  > | * What packages should be avoided.
|  > 
|  > 	Those rsh-things, wu-ftpd, sendmail (of course), mountd (I guess
|  > this one is to damned important to be in this list!), portmapper (I've
|  > heard is will be splitted from netbase in sid) and every RPCs
|  It is splitted out (as far as I can see), and are avoided.

	Thanks God (or its maintainer :) )
  
|  > 	Some of these I listed may belong to the other list above.
|  > 	
|  > | * What packages must be installed (security related).
|  > | * What packages should be installed.
|  > | * What packages can imprive security.
|  > 
|  > 	Tripwire (I guess LIDS or AIDE can be an option to this. You can
|  > make a Require: IDS and Tripwire, AIDE and LIDS may contain a Provide:
|  > IDS. You should contact David Spreen which is maintaining lids, I
|  > guess), qmail or postfix, gnupg, snort, ssh (of course), shadow, PAM
|  > with md5 and cracklib, john (maybe).
|  
|  Added gnupg, john to suggest.
|  
|  is IDS with capital letters?

	I guess so... since it is an abbreviature.
  
|  > | 
|  > | And now some questions (that can be dicussed).
|  > | * I intend to conflict with inetd. Do you think that is ok?
|  > 
|  > 	Great! I hate that godamned thing! Too much exploitable!!! I
|  > guess not so much with tcpd. I guess a good approach (as we could have
|  > some inetd lovers) is to make inetd require tcpd or replace it with
|  > xinetd or tcpserver.
|  
|  Is it inetd that is the prob or the packages that needs it?

	Don't know. There's just too many e-books for script kidies
written (at least in Portuguese) that teaches how to exploit inetd
services. I guess if tcpd is ok, we have nothing to worry (this is why
I use inetd after all. But you bet if we have xinetd or tcpserver
packaged I'd use that).
  
|  Regards,
|  
|  // Ola
|  

	BTW, what do you think of packaging DTK (Deception ToolKit)
(http://all.net/dtk/dtk.html). I don't know about their licensing
issues, but I think it is a good tool.

	[]s

	Pablo
Reply to: