[2193] in linux-security and linux-alert archive
[linux-security] Re: You got some 'splaininn to do Lucy ;-)
daemon@ATHENA.MIT.EDU (macker)
Mon Aug 2 02:49:37 1999
Date: Sat, 31 Jul 1999 10:50:38 -0700 (PDT)
From: macker <macker@netmagic.net>
To: Erik Espinoza <espinoza@thecity.sfsu.edu>
cc: linux-security@redhat.com
In-Reply-To: <4.2.0.58.19990731084050.00959c10@terran.landshark.net>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
On Sat, 31 Jul 1999, Erik Espinoza wrote:
> Compiling your setuid root programs (or programs that run as root) with
> stackguard and using the Solar Design secure-linux patch can greatly add to
> your system. Making buffer overflows extremely hard, if possible, to do.
> That combined with tripwire can be a hard to beat solution. Caveat: Solar
> Design's patch only works with latest 2.0.x kernel.
stackguard, and the non-executable stack kernel patch, are effective
deterrents, but should not be relied upon. i'm not personally familiar
with stackguard, however i know that the kernel patch is not too hard to
defeat .. i've seen various exploits in use that include code to get
around it.
while doing things such as recompiling suid progs with stackguard would
probably be very good for helping to stop suid intrusions, and tripwire
can catch the rootkit kiddies in a heartbeat, this still doesn't help with
the great number of admins out there who install redhat, ftp in html
files for a website, and assume it's ready to go on the internet. or,
worse, the ones who monkey with things and end up reducing security, often
in trying to make things easier for themselves (e.g. rhosts, netrc, etc.)
if a portscan was done on every static box on the internet, i imagine the
windows boxes would have the least open ports, the solaris/bsd boxes would
come in second, and linux boxes would come in last.
ah well .. perhaps it'd be helpful if something were added to the install
routine, when configuring a network interface, a "readme.security" file be
brought up, notifying the user that he/she *really* should read through
it, and modify inetd.conf, hosts.deny, consider installing sshd, etc.
*clink clink crash* (2 cents, and a solaris manual)
-macker, patiently awaiting the flood of 'unable to deliver'/'hi, i'm on
vacation' messages. :)
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
