Re: [Sheflug] Ramen worm

[Alex Hudson <nospam [at] alexhudson.com>]

On 08 Feb 2001 00:06:38 +0000, Barrie Bremner wrote:
>  > > You should really (I do it when config'ing the machine after install)
>  > > shutdown every service/server running on your box.
>  > > It should close up most of the common holes found on boxen.
>  > It doesn't close up any holes, it papers over cracks :) I think you're
>  > thinking of the BOfH system of security:
>  > 
>  >     "No service, therefore, no denial"
> 
> :-)
> 
> In all seriousness I'd actually be quite interested to hear your
> security policy/routine - just incase I'm missed some glaringly
> obvious things :-)


Hmm, chapter and verse, or just the paperback edition???? 

Security policy as regards what machines, what services, what
conditions, where, with what users, with what data, with what
applications, etc.....

Basically, you've asked me a question I can't answer. It all comes down
to best practice at the end of the day, and you have to define your own
level of security. For example: my dial-up machine runs Linux, and is
often online for an hour, if not more. I've taken no steps to secure it.
No packet filters, not nothing. Why? Well, it doesn't have many services
running (to save memory , I only have 48Mb RAM), it's pretty up to date
(Debian stable/testing), and nobody attacks dial-up boxes randomly. The
likelihood of someone targetting me, although very remote, is probably
the only reason why I would get odd packets. Plus, my ISP does enough to
protect themselves that I benefit to. It's just not worth my time and
effort to spend time securing a machine which isn't going to get
attacked.

With the firewalls at work, it's a completely different matter, but
again, it's not security that comes first, it's functionality. There are
things we need these boxes to be able to do, or to let us do. That comes
first. Then, we make the boxes as secure as possible within these
parameters. (Obviously, this is done with common sense - if there are
simple changes which make a server a lot more secure, we choose the more
secure option). We make it so that the effort needed to recover the box
in the event of it being hacked is sufficiently small, or the
expectation of being hacked is sufficiently small, that the work done on
the box is worthwhile. There is a law of diminishing returns here,
though. I will apply software updates on a regular basis to most boxes.
I won't go around reconfiguring them to run services in double-chroot
environments if they're not already. There's just F all point in doing
that, it's a waste of my time. Similarly, we don't have nazi firewalls.
We don't turn off ICMP, we don't throw fits when someone portscans us
(they're welcome to, as far as I'm concerned...). Of course we throw out
dodgy packets, of course we don't forward traffic for people, of course
we don't allow our routers to be used in smurf attacks. But we don't
have a paranoia about the stuff we do, because experience shows it's not
warranted. We're not the CIA, we don't have sensitive info on our
servers, nobody would be able to gain financially from doing it, it's
all about risk evaluation. We don't make our servers rock solid secure
just for some bearded UNIX boxen-loving ego thing..

Cheers,

Alex.
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.