Firewall Wizards mailing list archives
RE: The Morris worm to Nimda, how little we've learned or gained
From: Bill_Royds () pch gc ca
Date: Sat, 5 Jan 2002 16:29:38 -0500
For the last couple of month and until April, I am asking as systems administrator for a farm of 8 large Solaris web server systems while someone is on sick leave. One of the first things I noticed is that UUCP was running on all the systems (with a UUCP cron job), but no UUCP traffic gad actually occurred for 2 years. It was on default install so it was installed. I have almost convinced senior management that running all these unused services is not just bad security but it is a waste of resources as well. One of the first things I did was netstat -a |egrep 'Idle|LISTEN' and then asked for a justification of every service/port that was there. Once you correlated that tooltalk daemon to the 4 largest CPU burner, management started to understand that security doesn't necessarily cost resources. It can also save them. Many fewer services are running now. One of the things that would have helped is a cross correlation of processes. For a system in production, the idea of turning off a service "that might be used by the HTTPD process" is scary. Bill Royds Acting System Administrator, CHIN ph: (819) 994-1200 X 239 |--------+------------------------> | | "R. DuFresne" | | | <dufresne@sysi| | | nfo.com> | | | | | | 01/05/2002 | | | 15:18 | | | | |--------+------------------------> >----------------------------------------------------------| | | | To: Bill Royds/HullOttawa/PCH/CA@PCH | | cc: robert_david_graham | | <robert_david_graham () yahoo com>, | | firewall-wizards () nfr net, "'Marcus J. Ranum'" | | <mjr () nfr com> | | Subject: RE: [fw-wiz] The Morris worm to Nimda, | | how little we've learned or gained | >----------------------------------------------------------| It's even worse then that though. Even your 'average' unix admin installs most every package on the vendors cd, and many even go through most all the 'ports' and install those too! I've banged my head far too many times when trying to get policies to a point where admins were 'supposed' to do installs on systems based upon the specific services those machines were supposed to be placed to support, and only those service. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: The Morris worm to Nimda, how little we've learned or gained Bill_Royds (Jan 06)