Re: Task-harden
Hi!
On 2 Apr, Ola Lundqvist wrote:
| On Mon, Apr 02, 2001 at 11:58:00AM -0300, DrPablo@mail.com wrote:
| > tatus: O
| > Content-Length: 3877
| > Lines: 110
| >
| > Hello Ola!
|
| Hi
|
| > | I'm now packaging a task-harden package as I said in some other
| > | thread. To make this work fine I need some help:
| > | * What insecure versions of software that should be avoided.
| > | So upgrading this package can indicate if you have problems
| > | with a package. Yes this will create a _large_ conflicts line... :)
| > | Maybe I will split this to a separate package if it gets too
| > | complicated. But not yet...
| >
| > Let's see: bind, timed (I guess I heard some DoS with
| > this), slrn, inetd, identd
|
| Well bind is hard to replace. Someone was digging up a chrooted
| one though.
That would be nice. Have you consider my suggestion of adopting
SubDomain (http://www.immunix.org/subdomain.html) instead of chroot?
I've never used it, and I guess chroot is probably a most common and
known solution, but, anyway, I guess it worth a look.
| timed, dos on the entire machine or just the specific service?
I have to dig this up: BugTraq emailed me this advisory:
http://www.securityfocus.com/bid/2491 . Take a lok for yourself. Looks
like it comprimises just the time service.
| slrn, isn't that a news reader? suid root or?
I guess so! (I use nn, BTW). I remember to have an advisory
someplace. As soon as I dig this up you will be notified.
| identd, already fixed. :)
|
| > | * What packages should be avoided.
| >
| > Those rsh-things, wu-ftpd, sendmail (of course), mountd (I guess
| > this one is to damned important to be in this list!), portmapper (I've
| > heard is will be splitted from netbase in sid) and every RPCs
| It is splitted out (as far as I can see), and are avoided.
Thanks God (or its maintainer :) )
| > Some of these I listed may belong to the other list above.
| >
| > | * What packages must be installed (security related).
| > | * What packages should be installed.
| > | * What packages can imprive security.
| >
| > Tripwire (I guess LIDS or AIDE can be an option to this. You can
| > make a Require: IDS and Tripwire, AIDE and LIDS may contain a Provide:
| > IDS. You should contact David Spreen which is maintaining lids, I
| > guess), qmail or postfix, gnupg, snort, ssh (of course), shadow, PAM
| > with md5 and cracklib, john (maybe).
|
| Added gnupg, john to suggest.
|
| is IDS with capital letters?
I guess so... since it is an abbreviature.
| > |
| > | And now some questions (that can be dicussed).
| > | * I intend to conflict with inetd. Do you think that is ok?
| >
| > Great! I hate that godamned thing! Too much exploitable!!! I
| > guess not so much with tcpd. I guess a good approach (as we could have
| > some inetd lovers) is to make inetd require tcpd or replace it with
| > xinetd or tcpserver.
|
| Is it inetd that is the prob or the packages that needs it?
Don't know. There's just too many e-books for script kidies
written (at least in Portuguese) that teaches how to exploit inetd
services. I guess if tcpd is ok, we have nothing to worry (this is why
I use inetd after all. But you bet if we have xinetd or tcpserver
packaged I'd use that).
| Regards,
|
| // Ola
|
BTW, what do you think of packaging DTK (Deception ToolKit)
(http://all.net/dtk/dtk.html). I don't know about their licensing
issues, but I think it is a good tool.
[]s
Pablo
Reply to: