[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Fri, Apr 20, 2001 at 09:50:20AM +1000, Sam Couter wrote:
> Adam McKenna <adam@debian.org> wrote:
> > 
> > No, sorry.  Every box connected to the internet does not need a stateful
> > firewall in front of it.  This is an idea that has been propagated by the
> > clueless "security admin" world in order to sell more Checkpoint licenses.
> Wrong. Have you never heard of multiple levels of security?

No, is that a new concept?  *plonk*

> > A web server box running Apache and SSH (only) can be adequately protected by 
> > tcp wrappers if they're configured correctly.  (IE, using IP-based access 
> > rules.)
> s/configured correctly/configured correctly and contain no vulnerabilities/

How is one going to exploit a vulnerability in SSH if the connection is
dropped before they can input any data?

> That bit about no vulnerabilities is important. Don't rely on just one
> method of stopping attacks, because eventually someone will find a way
> around it.

Yes, but no one way is "the answer" that will make things "secure".  That's
what you and the "security experts" don't seem to understand.  "Secure"
doesn't exist.  There's only "as secure as I need it".

> Would you rely solely on an access control directive in Apache to protect
> your server from nasty people? I wouldn't. That leaves you open to any
> vulnerability found in header parsing or the request-response mechanism in
> Apache.

Most web servers on the internet supply public information, thus they must be
reachable by all hosts.  With this in mind I don't see how the above
paragraph is even applicable to the current discussion.

> Maybe TCP-wrappers will become vulnerable to some attack. Then your IP-based
> access lists are moot.

TCP wrappers is vulernable to attacks.  I don't utilize it at all, because I
consider it to be an insecure piece of shit.  Neither do I utilize Sendmail, 
BIND, inetd, wu-ftpd, or other security disasters.  This thread is about
the Debian default configuration of tcpd, which is currently broken.

> The TCP stack itself in your web server may be vulnerable to attack, in
> which case the attack won't even get as far as TCP-wrappers.
> The best approach to security is to protect yourself from attacks at all
> these levels.
> You seem to show a fundamental lack of understanding of how to properly
> secure a machine connected to the Internet.

You don't know me -- don't presume to know what I do and do not understand.


Adam McKenna  <adam@debian.org>  <adam@flounder.net>

Reply to: