Firewall Wizards mailing list archives

Re: Custom Unix server installations -- to harden extensively ?

From: Devdas Bhagat <dvb () users sourceforge net>
Date: Thu, 15 May 2003 03:30:00 +0530

On 14/05/03 14:12 -0400, Carson Gaspar wrote:
<snip>

An attacker is left with no method for privilege escalation. Removing 
binaries only stops script kiddies - anyone who has access to run processes 
on your box can install anything they want (assuming they can create 
executable files).

It isn't the script kiddie that this defends against, it is the clueless
admin who should never have had that level of access in the first place.
Lacking easy access to tools can mean the difference between said admin
having to ask for help and not doing damage to a system with a libc
upgrade without really understanding what it will break, and said admin
damaging the system badly enough to have to run for backup tapes and
upgrade disks.

I personally have found that a centralized build system with proper
distribution of binaries helps in /keeping/ boxes locked down and
synchronized.

The administrator does not have to worry about building software on
multiple systems, just on one. The lesser the stuff installed, the fewer
vulnerabilities to watch out for. 
If something is installed, it can easily be activated by another
application/upgrade/newbie admin. What is not installed, will not be
activatable, and the admin doesn't need to worry about having to patch a
bunch of applications for a bug that should not be important but ends up
being so.

To sum up, not installing stuff is a precaution against accidents rather
than a defense against malicious attackers, even though it does act as
an additional step in filtering them out.

Start small, and build up as needed is a much easier way of building
servers, rather than start with everything and then strip out what is
not needed. At least with Unix like systems, individual services can be
turned off, with a system like Windows, it is hard for the average admin
to know what to safely turn off.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Custom Unix server installations -- to harden extensively ? Julian Gomez (May 13)
- Re: Custom Unix server installations -- to harden extensively ? Paul Robertson (May 13)
- Re: Custom Unix server installations -- to harden extensively ? John Adams (May 13)
  - Re: Custom Unix server installations -- to harden extensively ? Julian Gomez (May 15)
- RE: Custom Unix server installations -- to harden extensively ? Keith A. Glass (May 14)
  - RE: Custom Unix server installations -- to harden extensively ? Ben Nagy (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Carson Gaspar (May 14)
  - Re: Custom Unix server installations -- to harden extensively ? Devdas Bhagat (May 15)
    - Re: Custom Unix server installations -- to harden extensively ? Bill Royds (May 16)
  - Re: Custom Unix server installations -- to harden extensively ? Marcus J. Ranum (May 15)
  - Re: Custom Unix server installations -- to harden extensively ? Matthew Kirkwood (May 16)
- Re: Custom Unix server installations -- to harden extensively ? Crispin Cowan (May 14)
- Re: Custom Unix server installations -- to harden extensively ? Mason Schmitt (May 15)
- <Possible follow-ups>
- RE: Custom Unix server installations -- to harden extensively ? salgak (May 15)
  - Re: Custom Unix server installations -- to harden extensively ? Barney Wolff (May 15)
    - RE: Custom Unix server installations -- to harden extensively ? Keith A. Glass (May 16)
    - RE: Custom Unix server installations -- to harden extensively ? R. DuFresne (May 16)