I don't think it is the main jails you would block since they have to receive and send data in order for the public to access them. Maybe you would block the pool of sage__ users from accessing the net using Iptables. (this might be helpful --> http://www.thescripts.com/forum/thread705507.html) Also maybe you could have a whitelist for the sloane database and the others.
On 10/16/07, William Stein <[EMAIL PROTECTED]> wrote: > > On 10/16/07, TrixB4Kidz <[EMAIL PROTECTED]> wrote: > > Hey again. I actually got a similar reply from William earlier today > > that I was going to append to this message (this post took quite some > > time to appear on google groups for whatever reason). The particular > > attack that I described is preventable, but the fact that the users > > have full access to a shell creates the potential for large security > > vulnerabilities. In particular, what about the other systems on your > > network? You've just given everyone access to your system behind your > > firewall. With this, I could easily write a script that punches a > > hole through your firewall and creates a pipe to one of your blocked > > ports. > > The sage server isn't behind any firewall. The math department > does have a firewall, but sage is "in front of it" rather than behind it. > That said, there are some services accessible form the server > that are only campus-accessible, e.g., library web servers. > > > What I'm more concerned about is the fact that this model opens the > > rest of your network up. I mean, the attacker is behind the firewall > > on a computer that is part of a campus's internal network. One could > > build a crawler in Python that discovers the hidden network topology, > > port maps all of the systems, and sends the results back to their > > system via a raw socket or scp. So even if your server is rock-solid, > > the attacker has still learned about several other potential entry > > points into your network. Hence, the SAGE server could simply serve > > as a stepping stone into a larger-scale attack on the network. > > It would be helpful if I blocked all outgoing connection from the notebook's > chroot jail. I actually have planned to do so for a while, but haven't > got around to it. > > An number of things would be more frustrating with this model, e.g., > users couldn't use any of the network-aware databases that Sage has, > or pull up files in the notebook from elsewhere online. But that's > perhaps not an unreasonable inconvenience for added security. > > Actually, how do I setup networking in the chroot jail so processes > in the chroot can't create outgoing connections, but processes not > in the chroot can? > > -- > William Stein > Associate Professor of Mathematics > University of Washington > http://wstein.org > > > > --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to sage-devel@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~----------~----~----~----~------~----~------~--~---
