We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
What Linux tools and security??
Comments
-
This is where you are (probably) most wrong - because it means that you have assumed that whoever wrote the code that underlies that service has not made any mistakes. This includes mistakes that have already been discovered, and mistakes that might be discovered at some point in the future.
No, I wasn't assuming that. I was refering to the configuation files for the service. For example CUPS is configured to only accept local requests. Mail servers only send and receive locally and will not relay mail. Installing them, even inadvertently, is safe.
Serious security holes in the actual software are a different matter. But we do not worry because there are none in an up-to-date Ubuntu install.0 -
So it would make good sense to drop packets coming in to the INPUT chain from the outside world as a precaution, yes?JustPassingBy wrote: »Of course not. We can only fix known potential exploits.
Supposing you want to run CUPS and you can't be sure it is secure - would it not be best practice to use a firewall rule to drop traffic on port 631, yes?JustPassingBy wrote: »Stopping an unnecessary or unwanted service is good practice. Doing so closes the port. Firewalls don't come into it.
The firewall *very* much comes into it. It has no issue with local traffic, because as I'm sure you know, locally submitted packets for 127.0.0.1:631 will, unless my memory fails me, arrive in the *output* chain and thus:iptables -A INPUT -p tcp -i eth0 --dport 631 -j DROP
Will block the outside world from 631, but allow localhost full access to it. Or, *and here is the crunch* if you are new to Linux and looking to add a layer of security - for best practice - something like Firestarter will take care of closing everything for you.
Tell me - do you consider that to be sane and sensible given that daily exploits are found in Linux and its associated applications ? I put it to you it is good practice and whilst we can argue about the theoretical until the cows come home, for the OP reading this and thinking much of it to be Chinese, it makes sense.
Again, that is not correct. Today - Thunderbird on 10.4 is discovered to have vulnerability which could result in a DoS/ACE. I'm sure you'll see a patch very shortly, but at this time it has a vulnerability. Again, don't assume Linux to be the ethereal safe operating system. It's good, but *not* without its warts and requires good practice and sensible security steps - just like any other operating system. Assumption is a dangerous thing.JustPassingBy wrote: »Serious security holes in the actual software are a different matter. But we do not worry because there are none in an up-to-date Ubuntu install.
LINK
http://seclists.org/fulldisclosure/2010/Jul/970 -
JustPassingBy wrote: »But we do not worry
IMO this reference to "we" gives a clue as to where you are going wrong.
Quite rightly you have made your own personal assessment of risk from what you know about you own personal circumstances, and you have used this to make decisions about what countermeasures you should take.
Your mistake is to generalise this and present it as suitable for "us". But some of the assumptions that you make about yourself may not be right for others. For example, you seem to assume that the general user will be downloading and installing updates for their OS - but they may not be.
In truth, we probably don't have any reason to disagree. Mr_Oink is presenting an approach which makes fewest assumptions and would be considered "best security practice" that can be used in the widest range of circumstances. What you are presenting is an approach that most ordinary users will be fine with most of the time.
60+ posts and 4 pages, but the OP has not been back as far as we know...0 -
So it would make good sense to drop packets coming in to the INPUT chain from the outside world as a precaution, yes?
So you DROP or REJECT packets 'just in case'. Cripple your machine because certain parts of the software industry have wares to peddle and have succeeded in promoting firewalls as the epitomy of security.
There is a place for packet filtering but a single machine on the internet running Linux (or, I suspect, Windows) has no use for it. If your software is up-to-date and services are correctly configured this is the best you can do. Why waste time and effort on 'precautions' when you have already taken them.
Make yourself sure. Read the security and bug reports. Alternatively, just keep the system up-to-date. This is what most people, including myself, do. Being up-to-date is easy, satisfying and gives 99.9999999% security.Supposing you want to run CUPS and you can't be sure it is secure - . . . . . . .
Exploits are found daily, true All are fixed within days. What's the problem. Find exploit. Fix it. Isn't that the name of the game?Tell me - do you consider that to be sane and sensible given that daily exploits are found in Linux and its associated applications ? I put it to you it is good practice and whilst we can argue about the theoretical until the cows come home, for the OP reading this and thinking much of it to be Chinese, it makes sense.
I'll repeat: Up-to-date Ubuntu has no security issues. So the version of Thunderbird is not is not up-to-date. In what way am I incorrect?Again, that is not correct. Today - Thunderbird on 10.4 is discovered to have vulnerability which could result in a DoS/ACE. I'm sure you'll see a patch very shortly, but at this time it has a vulnerability.0 -
Exploits being found by black hats and exploits being found and made public by white hats, and fixed, are two different things.
Having a properly setup firewall does no harm, and it protects you for the time in between an exploit being discovered and it being fixed.
It's good procedure to apt-get update+upgrade regularly, but for the times you forget, and the times in between things being patched, a firewall can save your bacon.
Arguing that they're useless is absolute nonsense.They say it's genetic, they say he can't help it, they say you can catch it - but sometimes you're born with it0 -
IMO this reference to "we" gives a clue as to where you are going wrong.
Not really. It's in common use in my part of the world and intended, in part, to be jocular and invite a response.
He's fallen off the edge of the world. Or, heaven forbid, was he a troll?60+ posts and 4 pages, but the OP has not been back as far as we know...
Meanwhile, tweeter has installed firestarter. She thinks it is doing something. Blocking connections to her machine, maybe. Protecting her from the internet.
It isn't, It's only function at present is to be taking up disk space.0 -
weegie.geek wrote: »Exploits being found by black hats and exploits being found and made public by white hats, and fixed, are two different things.
I'm a black hat. I've just found a deficiency in exim4 which allows mail to be relayed to any domain I want. Now what should I do? Use it to relay mail through brian's machine (brian???) - or should i go for an ISP which uses that version of the software.
OK. you've got the right answer. I went for the ISP. But they noticed. and now there is a fixed version of the software out. Damn.
My friend went for brian, ann, judith and a few others but very soon someone noticed and now there is a fixed version of the software out. Damn.
No it doesn't. But if you explain why it does I'll explain why it doesn't.Having a properly setup firewall does no harm, and it protects you for the time in between an exploit being discovered and it being fixed.
If you forget for a short time it's not likely to be of any great consequence.It's good procedure to apt-get update+upgrade regularly, but for the times you forget, and the times in between things being patched, a firewall can save your bacon.
Firewalls? Useless? Never! Only if you have single machine or a small number of machines on the internet.Arguing that they're useless is absolute nonsense.0 -
How soon someone fixes the security hole isn't the point. Say we're talking about whatever SSH daemon I happen to be running.
Someone discovers an exploit. Mine's locked down using iptables to only allow certain IPs to connect to it in the first place. Chances are nobody at the three IP addresses allowed to connect to that box via SSH is gonna try to hack it. It gets patched the next day.
If mine isn't locked down anyone can attempt to connect, possibly exploiting the vulnerability. Why take the chance?
Lots of end-users aren't going to notice people brute-forcing them, never mind using a 0day exploit.They say it's genetic, they say he can't help it, they say you can catch it - but sometimes you're born with it0 -
weegie.geek wrote: »How soon someone fixes the security hole isn't the point.
It's entirely the point. If an exploit is fixed within a week (say) you'd be happy. If it took two years you might be a little disgruntled.
What makes you think the time to fix a security hole is of no consequence?0 -
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.5K Banking & Borrowing
- 254.2K Reduce Debt & Boost Income
- 455.1K Spending & Discounts
- 246.6K Work, Benefits & Business
- 603K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.6K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards