* Julien Dupre (julien_duprefr@yahoo.fr) [010619 14:21]: > My idea is not to look at security alerts but trust > that debian maintainers will do it, I have a daily > cron > job which mails me if "apt-get -s upgrade" says > something > should be upgraded, is this not reasonable ? > Is there any case where a package with a known exploit > was not upgraded quickly in stable ? While I do trust the debian package maintainers and security team a lot, I'm certainly not content leaving them as my only line of defense. The administrator for a machine connected to the Internet should also take on the role of security administrator. While on the topic, make sure you also include lines for potato security updates in your /etc/apt/sources.list (and I know I shouldn't have to ask, but you are running "apt-get update" in that script before the "apt-get -s upgrade", yes?) Continuing with ipchains, imagine the analogy of an office building. Running snort is like installing security cameras, while setting up a packet filter is like putting up a fence. > > a2) you get the ability to filter TCP access to BIND > right out. Chances are > > you won't miss it, except for your secondary > nameservers. > > I've read that I shouldn't filter out DNS requests for > DNS because big > requests which must be fragmented have to use TCP > instead of UDP. This is why Tim mentioned secondaries. The idea is that ordinary DNS requests will be small enough to fit into UDP, but your secondary nameservers will ask to AXFR the entire zone. The zone transfer request will probably need a tcp connection, but you don't want anybody but your secondaries to transfer your zones anyway. With ipchains/iptables, you can allow tcp/53 selectively for your secondaries and reject/deny/drop it for everyone else. > I'm thinking at is to deny access to opened services > to hosts from which > snort logged an attack attempt. I'm not familiar enough with snort, but I know portsentry can do just that. I've seen it poorly configured to give too many false positives, though, so be very careful what you block based on portsentry's/snort's findings. Remember that those things can be spoofed: you don't want a drastic reaction to a portscan spoofed to look like it comes from your nameserver. > I just rely on having most recent versions installed > and be confident but for > zero day exploits ? You can if you like, but realize that it's not foolproof. In continuing the office building analogy, it's like saying you don't need the fence because the police will catch all the bad guys -- that's what they're there for, right? You are entitled to whatever level of security you see fit, and there is such a thing as too much security, but for most people on this list, I think, your approach would be considered a little too lax. Again, if it works for you, it may just be good enough, but if it were my system I'd be a bit more careful. Vineet
Attachment:
pgpCx5pv9cfoq.pgp
Description: PGP signature