Firewall Wizards mailing list archives
Re: The Morris worm to Nimda, how little we've learned or gained
From: "Paul D. Robertson" <proberts () patriot net>
Date: Mon, 7 Jan 2002 17:13:19 -0500 (EST)
On Mon, 7 Jan 2002, Rich Kulawiec wrote:
On Sun, Jan 06, 2002 at 09:43:10PM -0500, Paul D. Robertson wrote:Solaris is a three day exercise to unwind enough stuff and compile IPFilter into the kernel to block enough to be comfortable, futz with runlevels...Yes, it is. Repeating the exercise for other Unix/Linux OSs gets rather tedious as well, which is one of the reasons that I've mostly fixed on OpenBSD for "single-service boxes".
Linux, and *BSD don't tend to be as bad as everyone who swallowed the CDE worm and found that hook. I can get a fairly novice admin to tighten things down in about 20 minutes for anything that isn't commercial.
But on the upside, there are now enough tools to allow me to install J. Random Unix/Linux distribution and figure out what it's running,
I've been running Linux boxen since kernel .98p11, and I've resisted using distribution-specific tools until I had to come up with a "how do I configure this well" document and found RedHat's chkconfig. It's fairly easy to emulate with scripts, but I find the combo of RC stuff and (x)inetd stuff all in one place invaluable for having a novice do the right thing. I've installed lsof on anything I've had to administer for quite a number of years now, and it coupled with some greps will have even a novice admin looking at exactly the right things pretty quickly.
The problem, though, as you pointed out elsewhere in your note, is that sometimes the requisite functionality (e.g. Solaris requiring rpcbind to serve fonts) is handled in a way that makes it hard to turn off everything that I'd really like to.
I'm working on a solution to this that I think will work out well, I just need to get the Solaris C compiler to cooperate with my cobweb'd mind :) If I can get it to work and I can get it released in source form, I'll announce it widely.
A second problem is that I'd like to avoid this entire process; but I'm not aware of any Unix/Linux distribution whose install procedure includes taking the user through a dialog that advises them what they're opening vs. what they're closing.
It wouldn't be difficult to turn everything off and ask- it's just that while it's not the default, it'll not be used (MS Outlook Security patch anyone?)
A third problem is that some distributions conflate the meaning of "install this piece of software" with "install and ENABLE this piece of software". There are often times I'd like to do one, but reserve the decision on the other until a later time (if at all).
Used Debian I take it? ;) Machine-level risk assessments need to be something that's ingrained, or we need to have better ways to tune security without impacting *used* features. I thought it was pretty telling when someone earlier posted about UUCP being enabled on Web servers, and having trouble shutting it down because (it seems to me) admins aren't used to knowing how things operate anymore. The argument that Open Source changes that isn't strong enough- the argument needs to be that the understanding is necessary no matter what the platform, and let the models deal with the costs in their own ways.
To be honest, I don't know of a really good approach to address this. One thought that occurs to me is that software authors might consider including, in addition to the ubiquitous "README" and "INSTALL" files that are part of many (most?) open-source packages, a file called... hmmm, let's call it "IMPACT" because it somewhat reminds me of an environment impact statement...which would detail what files/directories are modified when this package is installed, what network port(s) it listens on, what processes it will run, etc. But I'm not sure if this is a useful idea or not. Comments?
I think it's more useful to have a utility that figures it all out and makes things right- I'm constantly reminded of how easy "Zone Alarm" is to use- Yes, it has its faults, but it mostly does the right thing without the user having to think very hard. Something more akin to that might be better in making an impact. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: The Morris worm to Nimda, how little we've learned or gained Bill_Royds (Jan 06)
- RE: The Morris worm to Nimda, how little we've learned or gained R. DuFresne (Jan 06)
- RE: The Morris worm to Nimda, how little we've learned or gained Paul D. Robertson (Jan 07)
- Re: The Morris worm to Nimda, how little we've learned or gained Rich Kulawiec (Jan 07)
- Re: The Morris worm to Nimda, how little we've learned or gained Paul D. Robertson (Jan 08)
- Re: The Morris worm to Nimda, how little we've learned or gained Adam Shostack (Jan 08)
- Re: The Morris worm to Nimda, how little we've learned or gained R. DuFresne (Jan 09)
- Re: The Morris worm to Nimda, how little we've learned or gained Joseph S D Yao (Jan 09)
- RE: The Morris worm to Nimda, how little we've learned or gained Paul D. Robertson (Jan 07)
- RE: The Morris worm to Nimda, how little we've learned or gained R. DuFresne (Jan 06)