From: Brian Furry <email@example.com>
Date: Fri, 3 May 2002 18:14:15 -0400 (EDT)
Received: from [126.96.36.199] by hotmail.com (3.2) with ESMTP id
MHotMailBE9C5876007E4004325E417D408606C30; Fri, 03 May 2002 15:21:42 -0700
Received: (qmail 3047 invoked by uid 38); 3 May 2002 22:14:31 -0000
Received: (qmail 2733 invoked from network); 3 May 2002 22:14:21 -0000
Received: from lithium.nac.net (188.8.131.52) by murphy.debian.org with
SMTP; 3 May 2002 22:14:21 -0000
Received: (qmail 99879 invoked from network); 3 May 2002 22:14:19 -0000
Received: from unknown (HELO euler.nac.net) (184.108.40.206) by mail.nac.net
with SMTP; 3 May 2002 22:14:19 -0000
Received: from brian (helo=localhost)by euler.nac.net with local-esmtp
(Exim 3.12 #1 (Debian))id 173lJh-00007l-00for
<firstname.lastname@example.org>; Fri, 03 May 2002 18:14:17 -0400
From bounce-debian-security Fri, 03 May 2002 15:23:19 -0700
Sender: Brian Furry <email@example.com>
X-Spam-Status: No, hits=0.0 required=4.7 tests= version=2.01
X-Mailing-List: <firstname.lastname@example.org> archive/latest/7106
I am in the process of getting a debian server in the high school that I
teach in. The network admin is concerned about the security of the
exsisting Novell Server, border manager, etc. Our ISP is very picky
about not hogging more bandwidth than we are suppossed to use.
I have been carefully pushing for a debian linux server for about 3 years
and now I am very close to getting one for my students to program on. The
network admin is the last person I need to sign off on....
Below is a message from him, that I need to reply to in order for him
to sanction the machine. I would like some help in creating a reponse
to sooth his anxiety and fears.
I have described the Linux project, its uses, and its physical placement
within our network, to four knowledgeable people, and asked for their
thoughts and recommendations.
A. Partner in a consulting company based in Hunterdon County. Their
mission is to encourage Linux use in small/medium companies.
B. Lt. Col. (ret.) USAF, now a contractor for the Air Force (process
compliance and Unix network administrator)
C. Network technician. This person builds wide-area networks for
corporations and financial institutions
D. Computer consultant. This person has extensive employment experience
(programming, documentation, database, networking) with HP, Agilent, and
others. Husband and brother also do design work for top computer firms.
They all insisted that a dedicated firewall is a requirement. They are
unanimous in their exhortation that the server be properly secured. "B"
gave specific items to examine in this regard, and "A" offered to scan it
from inside and outside our building.
"A," "B," and "C" state that, even if it IS properly secured, this does
not prevent some types of malicious behavior. "A" and "B" think that the
risk is no greater than our current setup, while "C" has reservations that
we should not increase our susceptibility, and that the 24-hour
availability of this server leaves us open to mischief.
I share "C"'s concern. In-school computer use is subject to various
controls, not the least of which is teacher oversight. By design, a
publicly accessible server on which students can run their own programs at
3 a.m. lacks this important security.
In light of this last point, let me pose a situation: A student loads and
runs a program onto this Linux server which then launches attacks on other
computers or routers on the Internet. Such attacks could be as simple as
participating in a Denial-of-Service attack. In our earlier meeting, you
said that proper settings, permissions, and restrictions could prevent
Since this is one of the situations for which I am most concerned, can you
give me (in excruciating detail) the steps which would prevent this?
Brian R. Furry email@example.com
The Power of Open Source can only give the people what
they so richly deserve ...
stable and flexible computing
Debian/GNU Linux www.debian.org
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact