Firewall Wizards mailing list archives
Re: securing bind
From: Ken Hardy <ken () bridge com>
Date: Thu, 18 Nov 1999 10:29:09 -0600 (CST)
It's obvious that we'll never see the end of stack overrun attacks until overrunning the stack doesn't get you anywhere. IMHO something like StackGuard should be a standard option on *all* compilers, and all exposed services like DNS should be compiled with it enabled. Make that every bit of code (incl. kernel?) running on a firewall. It's not a cure-all for bad coding, but it does disable the hackers' favorite attack automatically w/o any application code review and patching. Well, not completely disable, but it will turn a root compromise into a DOS (program abends on stack overrun). See http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard. I'd be interested in knowlegeable comments about how reliable and comprehensive this approach to the stack overrun problem is, though it's probably beyond the charter of this list. Alternatively (and higher performance?) Solaris 2 has a kernel parameter that can be set to make the stack non-executable. The documentation I've seen warns that some programs depend on self-modifying code on the stack but says that that may not be an issue for many limited-use dedicated servers. Anyone try this when running any popular firewall products??? -- KH On Wed, 17 Nov 1999, Craig H. Rowland wrote:
can anyone point me to a good document, how i can secure bind? i searched the web, but couldn't find anything useful.This is kind of a vague question depending on what you mean by securing BIND. The first thing you should do is chroot() it though (IMHO). I wrote some documents a while back that explain how to do this for version 8.x: http://www.psionic.com/papers/dns Adam Shostack has instructions for BIND 4.x on solaris too: http://www.homeport.org/~adam/dns.html -- Craig
Current thread:
- securing bind Jan Stifter (Nov 17)
- Re: securing bind Craig H. Rowland (Nov 17)
- Re: securing bind chuck (Nov 18)
- Re: securing bind Ken Hardy (Nov 21)
- Re: securing bind Crispin Cowan (Nov 22)
- Re: securing bind Crispin Cowan (Nov 23)
- Re: securing bind Saravana Ram (Nov 23)
- Who to blame (was RE: securing bind) Anton J Aylward (Nov 26)
- Re: securing bind Gerardo Richarte (Nov 26)
- Re: securing bind Craig H. Rowland (Nov 17)
- <Possible follow-ups>
- Fwd: Re: securing bind Predrag Zivic (Nov 28)