[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

Ingo Saitz <Ingo.Saitz@stud.uni-hannover.de> writes:
> On Wed, Apr 18, 2001 at 11:32:48PM -0500, Rahul Jain wrote:
> > the majority of debian users shouldn't be running network services without
> > knowing how to manage security. not-so-good-netadmins should become good so
> > that their networks don't get taken down by the plethora of kiddies out there.
> > As a client, you should demand a good sysadmin.

> So you suggest to change this line to:
> 
> 	ALL: ALL EXCEPT localhost
> 
> I think it should still be allowed to connect from localhost so
> the user can use local installed services like an http server he
> wishes to play with. And I don't think connections originating
> from localhost should be a problem usually.

Yes, definitely. You should also think about home users. They usually
are not that clueful at security, but more and more of them is sitting
behind a bigger and bigger pipe. Think about all the DSL users, the
cable modem users, yes, even ISDN users. 

Also, as those home users are not that vigilant, securitywise, they
are less likely to detect their box has been rooted. Do you think some
Joe Bloke would use Linux again if he was rooted, his machine abused
for some hacking enterprise, accused for hacking and/or kicked out by
his ISP, because *we* left those services running?

I think it is not too difficult to write a tool that scans the IP
ranges of the big providers and roots every box it finds,
automatically. The problem here is not the individual bandwidth of the
machine, but the bandwidth of all the rooted boxes combined!

Imagine that: some script kiddie cracks 10 boxes, somewhere on the
internet. He installs that scanning software, sets each up to randomly
scan a couple of providers. He finds 1000 boxes and uses them for some
DDoS-attack. Just imagine: alle those boxes are ISDN. So he has 64
MBits to play with. But the Deutsche Telekom alone has approximately
500k IPs, of which (just a wild guess) 400k are in use at all
times. So he likely finds more than 1000 open boxes. 10k? 100k?

What if he scans one of the big cable modem providers and finds 1000
boxes sitting behind 512kBit pipes? All of a sudden, he has 512 MBits
to play with!

That kind of bandwidth would already threaten a small ISP!

So, configure that box on install as secure as possible, activate on
PPP startup firewall rules, if you have kernel 2.4 even stateful ones,
block all incoming TCP packets, close up all unneeded UDP ports, make
tcp wrappers deny everything but localhost and run as little daemons
as possible!

Sorry about that rant...

Regards, Ulli

-- 
Ullrich Jans                           Eichenstrasse 4
Tel: +49 89 74427834                   82024 Taufkirchen
Usenet: ujans@ullisys.pond.sub.org     RealUlli@IRCnet
Reply to: