I have been following this thread all day with equal amounts of amusement and contempt. First of all, let me say that I by no means think that firewalls are the silver bullet solution for network security. As others have pointed out, firewalls can cause a false sense of security in some cases. However, saying that Redhat is "secure enough" out of the box is like saying that the locks on my car are good enough, so why should I have an alarm? The answer is because it makes the other guy (the one with no alarm [firewall]) an easier target. Face it, if I have a decent firewall in place that drops all incoming packets and you have even a single port open, then you are going to the target and I am not.
Also, the attitude that "Windows sucks and Linux rocks" is the kind of elitist notion that drives many potention linux converts back to Windows. It sounds like you have blind faith in a Operating system that is equally capable of being cracked. Again, don't get me wrong. My non-windows boxes outnumber my Windows machines 4 to 1, but that doesn't mean that Windows is not the right tool for certain jobs. Just my 2 pennies. -- Shannon Neumann Neumannweb Computers www.neumannweb.net > I would agree that there is something to be said for learning to batten > down your linux boxen. However, keeping things behind a firewall is > just good practice. Yes, it may give one a false sense of security, but > it also gives one a safe place to learn and grow; i.e. behind the > firewall. With a firewall, you can limit the ports available from the > outside straight away. True you can do that with a Linux box from the > outset, but there may be things you want to do in the meantime that > require those services. I think in general, having a firewall in place > is always a plus and having more of them limits the number of hacked > boxes and launching pads for other exploits. No it's not a cure-all, as > so many have pointed out. But I'd still recommend everyone having one. > > <<JAV>> >> >> On Thu, 2003-02-13 at 15:18, Bill Anderson wrote: >> > On Thu, 2003-02-13 at 12:01, Kent Borg wrote: >> > > On Thu, Feb 13, 2003 at 11:58:58AM -0600, Dave Ihnat wrote: >> > > > On Thu, Feb 13, 2003 at 10:02:54AM -0500, Kent Borg wrote: >> > > > > On Thu, Feb 13, 2003 at 07:56:23AM -0600, Dave Ihnat wrote: >> > > > > > We all urgently push you to implement a firewall...any >> firewall... >> > > > > >> > > > > No we don't (with or without smilies), I do not advise a >> firewall unless you are trying to protect some MS Windows >> garbage and that is a losing battle you are better off not >> trying to fight. >> > > > > <<Rest of message elided>> >> > > > >> > > > With all due respect, not only is that a very misguided >> attitude, it's a dangerous one to promulgate. >> > > >> > > First, a point of order: if you are sincere about the "with all >> due respect"-part, then don't suggest that I am a cracker. >> > > >> > > > Read what you said >> > > >> > > I wrote a short post describing how to make and keep a Red Hat >> system secure. I glossed over some details, but I still think it >> was pretty good, and damn specific, given how short it was. >> > >> > My problem with the method you propose is that it requires you to be >> able to determine vulnerabilities before they happen.Say you are >> attending a Linux Expo, or some other event that takes you away from >> your machine(s) for the day. That morning a vulnerability is >> announced that has an exploit. Your machine(s) is(are) vulnerable >> until you update it. If it is a network exploitable vulnerability. >> > >> > Specific? Well, do you like to print, and run lpd? it's had problems >> in the past. >> > >> > >> > > You assert that it won't work. OK, be specific. Reread what I >> posted. Assume that such a RH 7.0 system has been on the >> internet, maintained as I described, without a firewall, for the >> last two years. Tell me how it got rooted during time. Be >> specific. >> > >> > It's maintainer was at work, and it was a home machine running the >> vulnerable LPRng and did not update the machine until they were a) >> aware of the problem, and b) able to update to a fixed version. For >> example: http://rhn.redhat.com/errata/RHSA-2002-089.html >> > >> > >> > An example clipped from an incident report: >> > -------------------------- >> > Port 515 on our network was scanned from uiowa.edu over the weekend. >> Here's some information on the LPRng exploits attempted against >> several RedHat Linus 7.x hosts. The intruder attempts to create a >> file called /dev/whoa/reg. It looks like they intend for reg to >> open port 8282 with root privileges. They then edit xinetd.conf >> file and restart xinetd to open the port. Evidence of these changes >> was cleared from compromised hosts once the intruder installed his >> kit. A password protected guest account with a GID of 0 was created >> on one compromised host. The following files were also changed: du, >> find, ls, netstat, passwd, ping, psr, and su. >> > ----------------- >> > >> > Running X-Windows on said system? Uh-oh, there's another potential >> problem (especially if xdm was enabled). >> > >> > Ascii-only email/web? Pine, Mutt (CAN-2002-0001) and lynx have had >> their problems w/security as well. Pam has had it's problems, which >> in at least one case allowed users to get another's access >> credentials. >> > >> > The problem with your method is that it does not "think like a >> cracker". It "thinks" like someone who believes they are faster and >> superior to the cracking ability. IMO, that is as bad as relying >> solely on a firewall. Security is not an item, it is a process and >> mindset. >> > >> > While it is true for all systems that there is a period of >> vulnerability between the finding/reporting of the >> vulnerability/exploit and the updating of the system, by not using a >> firewall, you pile more openings on top of ones that affect, for >> example, bind or mod_ssl. There are exploits that allow the remote >> attacker to get a non-root local access. Combine this with a >> local-root exploit and bam, You have a problem. >> > >> > IMO, this is as dangerous as "we have a firewall, who cares?". >> > >> > -- >> > Bill Anderson >> > RHCE #807302597505773 >> > [EMAIL PROTECTED] >> > >> > >> > >> > >> > >> > -- >> > redhat-list mailing list >> > unsubscribe >> mailto:[EMAIL PROTECTED]?subject=unsubscribe >> https://listman.redhat.com/mailman/listinfo/redhat-list >> > > > > > > -- > redhat-list mailing list > unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe > https://listman.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
