RE: Start up scripts
Henry Hollenberg speed@barney.iamerica.net
On Thu, 5 Mar 1998, Meskes, Michael wrote:
> FTP-Proxy suffers from the same problems as passive mode sometimes. Also
> where do you get that proxy software?
>
> What's the exact risk we take with using a module?
Leaving modules in place make it easier to modify the kernels behavior.
Trick the system into uploading a module with bad behavior somehow and
it's possible to move forward with an exploit of this type as the module
"hooks" are in place.
If there are modules with bugs allowing exploits already lying about on
the system, even if you are not using them, they could be "activated" and
used as an avenue of attack. If you explicitly choose what you want
compiled into the kernel and don't do modules then delete the compiler and
the source code....you've shut down some avenues for attack.
Or at least slowed them down. I would like for my systems and protocols
on my internal network to be flexible.....but I would like my firewall to
be bit stiffer....a little harder to work with, sure for me....but them
too.
As far as tools go, we've already discussed putting occasionally needed
tools on floppy or CDROM so they can be popped into the system and used as
needed for upgrades etc and then when thru "unmount" and they're not
available for a cracker.
I think ssh probalbly will be needed on the system as remote sys-admin
will probably be a must although I think we could do without it at our
site.
But, I'm flexible, if I'm way off base on this modules thing just gang up
on me and I'll fold like a cheap card table :-).
hgh
--
E-mail the word "unsubscribe" to debian-firewall-request@lists.debian.org
TO UNSUBSCRIBE FROM THIS MAILING LIST. Trouble? e-mail to listmaster@debian.org .
Reply to: