Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: The Morris worm to Nimda, how little we've learned or gained

From: Bill_Royds () pch gc ca
Date: Sat, 5 Jan 2002 16:29:38 -0500


For the last couple of month and until April, I am asking as systems
administrator for a farm of 8 large Solaris web server systems while someone is
on sick leave. One of the first things I noticed is that UUCP was running on all
the systems (with a UUCP cron job), but no UUCP traffic gad actually occurred
for 2 years. It was on default install so it was installed.

I have almost convinced senior management that running all these unused services
is not just bad security but it is a waste of resources as well. One of the
first things I did was netstat -a |egrep 'Idle|LISTEN' and then asked for a
justification of every service/port that was there. Once you correlated  that
tooltalk daemon to the 4 largest CPU burner, management started to understand
that security doesn't necessarily cost resources. It can also save them.
Many fewer services are running now.

One of the things that would have helped is a cross correlation of processes.
For a system in production, the idea of turning off a service "that might be
used by the HTTPD process" is scary.


Bill Royds
Acting System Administrator, CHIN
ph: (819) 994-1200 X 239




|--------+------------------------>
|        |          "R. DuFresne" |
|        |          <dufresne@sysi|
|        |          nfo.com>      |
|        |                        |
|        |          01/05/2002    |
|        |          15:18         |
|        |                        |
|--------+------------------------>
  >----------------------------------------------------------|
  |                                                          |
  |      To:     Bill Royds/HullOttawa/PCH/CA@PCH            |
  |      cc:     robert_david_graham                         |
  |       <robert_david_graham () yahoo com>,                   |
  |       firewall-wizards () nfr net, "'Marcus J. Ranum'"      |
  |       <mjr () nfr com>                                      |
  |      Subject:     RE: [fw-wiz] The Morris worm to Nimda, |
  |       how little we've  learned  or gained               |
  >----------------------------------------------------------|





It's even worse then that though.  Even your 'average' unix admin installs
most every package on the vendors cd, and many even go through most all
the 'ports' and install those too!  I've banged my head far too many times
when trying to get policies to a point where admins were 'supposed' to do
installs on systems based upon the specific services those machines were
supposed to be placed to support, and only those service.






_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: