Re: secure installation
On Thu, August 16, 2007 17:42, Russ Allbery wrote:
> "R. W. Rodolico" <email@example.com> writes:
>> At this point, I disagree. Unfortunately, I have to point to some of
>> the user oriented firewalls you get for windoze (which, to my knowledge,
>> Linux does not have). When they are installed, the shut down basically
>> everything incoming, and all but a few standard outgoing ports (http,
>> smtp, pop and imap). When an application tries to go out of another
>> port, a pop-up informs the user and they can choose to accept, accept
>> or reject, with a "forever" modifier on both, and the firewall changes
>> its rules appropriately.
>> For un-informed users, this is a good thing.
> Well, I certainly disagree that the pop-up prompts are at all useful or
> offer any real security. Time and time again, studies of user interaction
> with security software have shown that this sort of security interaction
> is essentially useless.
I realize many users just press the "ok" button and go on with it. I have
no hope for them, but for the users who might actually understand what is
going on. I just think for the "normal" user, this is more realistic than
viewing log files.
> The only thing here that offers any real security protection is the
> default denial of all incoming traffic. And that just returns to my
> previous point, which is that the best and safest way to do that is to
> not listen to network traffic in the first place, rather than installing
> some daemon that listens to network traffic and then turning it off with a
> firewall. It's making the decision in the wrong place, and it's simply
> sloppy security thinking.
>> But, even without the interaction of some of the Windows firewalls,
>> just installing one of the firewall builders available on the
>> workstation distro's at least gives them some protection.
> No, it doesn't. What offers *real* protection is the fact that both
> Debian and Ubuntu don't run services that listen to the network on a
> default installation.
Actually, you and I do agree completely on this. First thing I do on a
Debian install is shut down tons of services that Debian installs by
default. I understand the reasoning behind it, just don't agree with that
reasoning. And, I checked out Kubuntu and was pleased that it did not
install these (apparently).
Firewalls are for a stupidity shield. I had a situation where I was
cracked on one of my servers a few years ago. It was totally my fault; I
had a user I had mistakingly set up as an authorized ssh user who
shouldn't have been. Their account was cracked, then the cracker got root
access and installed a daemon that was ready to attack another server.
My firewall gave one yelp, the cracker realized what was going on and told
the firewall to shut up, basically. However, I got that one yelp from the
firewall, investigated, and fixed the issue.
A firewall is not, by any stretch of the imagination, the security for a
server. Security for a server is, as you say, not running services that
are not necessary. However, a firewall is for people like me, who make
mistakes and, in so doing, create a security problem.
> Russ Allbery (firstname.lastname@example.org) <http://www.eyrie.org/~eagle/>
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
R. W. "Rod" Rodolico
Daily Data, Inc.
Dallas TX 75214-0465
This is a private e-mail address for use only by clients of Daily Data.
Please do not forward or give out this e-mail address to anyone.