[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: secure installation

On Thu, August 16, 2007 17:42, Russ Allbery wrote:
> "R. W. Rodolico" <rod@dailydata.net> writes:
>> At this point, I disagree. Unfortunately, I have to point to some of
>> the user oriented firewalls you get for windoze (which, to my knowledge,
>>  Linux does not have). When they are installed, the shut down basically
>>  everything incoming, and all but a few standard outgoing ports (http,
>> smtp, pop and imap). When an application tries to go out of another
>> port, a pop-up informs the user and they can choose to accept, accept
>> or reject, with a "forever" modifier on both, and the firewall changes
>> its rules appropriately.
>> For un-informed users, this is a good thing.
> Well, I certainly disagree that the pop-up prompts are at all useful or
> offer any real security.  Time and time again, studies of user interaction
>  with security software have shown that this sort of security interaction
>  is essentially useless.

I realize many users just press the "ok" button and go on with it. I have
no hope for them, but for the users who might actually understand what is
going on. I just think for the "normal" user, this is more realistic than
viewing log files.

> The only thing here that offers any real security protection is the
> default denial of all incoming traffic.  And that just returns to my
> previous point, which is that the best and safest way to do that is to
> not listen to network traffic in the first place, rather than installing
> some daemon that listens to network traffic and then turning it off with a
>  firewall.  It's making the decision in the wrong place, and it's simply
> sloppy security thinking.
>> But, even without the interaction of some of the Windows firewalls,
>> just installing one of the firewall builders available on the
>> workstation distro's at least gives them some protection.
> No, it doesn't.  What offers *real* protection is the fact that both
> Debian and Ubuntu don't run services that listen to the network on a
> default installation.

Actually, you and I do agree completely on this. First thing I do on a
Debian install is shut down tons of services that Debian installs by
default. I understand the reasoning behind it, just don't agree with that
reasoning. And, I checked out Kubuntu and was pleased that it did not
install these (apparently).

Firewalls are for a stupidity shield. I had a situation where I was
cracked on one of my servers a few years ago. It was totally my fault; I
had a user I had mistakingly set up as an authorized ssh user who
shouldn't have been. Their account was cracked, then the cracker got root
access and installed a daemon that was ready to attack another server.

My firewall gave one yelp, the cracker realized what was going on and told
the firewall to shut up, basically. However, I got that one yelp from the
firewall, investigated, and fixed the issue.

A firewall is not, by any stretch of the imagination, the security for a
server. Security for a server is, as you say, not running services that
are not necessary. However, a firewall is for people like me, who make
mistakes and, in so doing, create a security problem.

> --
> Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org

R. W. "Rod" Rodolico
Daily Data, Inc.
POB 140465
Dallas  TX  75214-0465

This is a private e-mail address for use only by clients of Daily Data.
Please do not forward or give out this e-mail address to anyone.

Reply to: