Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Port 37628....Is it just another port or out of the extra ordinary???

From: vbwilliams () neb rr com
Date: Mon, 26 Jul 2004 14:53:45 -0500
I don't get your point...if there is one.

The kernels that come with any distro are compiled for the masses.  I don't compile mine for the masses.  I statically 
compile what I KNOW I need, and everything else is left out.  You can't modprobe anything into the kernels I 
compile...I always remove the ability to do so.  If it isn't started at boot time, I'm confident it's not going to get 
started.  I think any internet-facing machine that's actively serving something on the internet for a customer should 
adhere to that rule.  That's my opinion...my opinion isn't going to change because anyone else disagrees with it.  It's 
what I've found to work more than any other method of deployment/implementation over the last decade of working with 
any distribution of Linux.  Likewise, it's also my opinion that any internet facing machine NOT have any *tools* on it 
that allow the modification and compilation/execution of code on that machine.  That means on an internet facing 
machine I admin, there's no gcc tools on it...it's the 
bare essentials to run, plus whatever service I need, be it Apache or anything else.  DOes that mean I have completely 
discounted the work that people at Red Hat or the kernel developers have done?  No.  It just means I don't think their 
bloat should be on an internet facing machine.  My regular workstation and laptop run the full bloat stock Red Hat 
installation .  But there's no way in hell I'd put the same thing on a production machine serving 1 or 2 things, whose 
hardware will more than likely not change in the next 3-4 years.

That is the difference between taking something that someone hands you, or doing it yourself and giving yourself peace 
of mind because you've decreased the possibility of something getting introduced into your system that could compromise 
it.

Why it would peeve you, I have no idea.  I don't just blindly trust what the kernel developers give me either.  I 
testbed EVERY version of the Linux kernel that I'm thinking about deploying, before I ever deploy it...and I look at 
every change I have time to look at...I look at the changes in release candidates every day...even if it's just 
eyeballing them.  So, no, I don't just blindly trust Red Hat, Suse, or the kernel developers either.

And by the way, the last two Red Hat updates for kernels have addressed vulnerabilities in THEIR implementations.  Know 
why any machine I admin wasn't affected even though they were all Red Hat based?  Because the kernels I was using were 
not provided by Red Hat.  I ran the vulnerabilities/exploits against them...had no effect.  Reason is simple...I wasn't 
running a version of the kernel that was affected...I was running my own.

I do the same thing with OpenSSL, OpenSSH, and Apache...and any other service I NEED.


----- Original Message -----
From: Mark Tinberg <mtinberg () securepipe com>
Date: Monday, July 26, 2004 2:15 pm
Subject: Re: [fw-wiz] Port 37628....Is it just another port or out of the extra ordinary???


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 23 Jul 2004, Victor Williams wrote:


5.  A custom kernel is always a better idea vs blindly trusting what
others have compiled or let leak into theirs.  I compile custom 

kernels> for any Linux machine (serving internet content/services 
or not),

regardless of the function.


This attitude is a pet peeve of mine.  Why do people assume that 
becausethey _can_ build a kernel for themselves that they must 
naturally be
better at it then the people at RedHat, SuSE/Novell or Debian who 
live,sleep, eat and breathe the kernel all day long.  I think that 
it is as
much about blindly throwing away all of the work that people who 
maintainproduction quality kernels do as it is about trusting 
their work.  Another
way to put this is, in what is your trust in the vanilla kernel 
sources,or your builds, based?  Hopefully not blind trust 8^)

- -- 
Mark Tinberg <MTinberg () securepipe com>
Staff Engineer, SecurePipe Inc.
Key fingerprint = FAEF 15E4 FEB3 08E8 66D5  A1A1 16EE C5E4 E523 6C67
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFBBVhBFu7F5OUjbGcRAg9ZAJ0SdeTOytryMxd7Rbg/QydeiEZ9fACeJMEE
y09h92D5AaB9dAwhxSAkN4w=
=AJW0
-----END PGP SIGNATURE-----



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: