Firewall Wizards mailing list archives
Re: Web server security?
From: Steffen Kluge <kluge () fujitsu com au>
Date: Wed, 23 Jun 2004 11:49:19 +1000
On Wed, 2004-06-23 at 01:32, Paul D. Robertson wrote:
And the whole hook design is broken, because all kernel data gets exposed to any module that likes to register - what an invitation to root kit authors.
That's an interesting point, in fact, I've always advocated (and practised) the use of kernels without loadable module support for Internet exposed machines. Loadable kernel modules are simply too nice a playground for attackers and a deluxe and simple way of installing backdoors (at least on non-capability enables systems) I haven't looked into grsecurity closely enough to have an opinion, so far I've been using Solar Designer's (OpenWall) patches. Finally, I'm a satisfied user of the BastilleLinux scripts that among other things remove a lot of setuid madness and also remove execute permissions for non-privileged users from a lot of utilities - reliably, reproducibly and all in one fell swoop. After all, an Internet server is not a development platform or workstation... Since mjr's recommended approach to building secure servers (starting from nil and adding only what one really needs) doesn't scale too well for me, and my time/resource constraints dictate that I re-use what other people have packaged and will update/support, I usually start with off-the-shelf systems and customise and strip them down as good as I can. Cheers Steffen.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Web server security? Paul D. Robertson (Jun 21)
- Re: Web server security? Steffen Kluge (Jun 22)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Mason (Jun 22)
- Re: Web server security? Crispin Cowan (Jun 22)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Steffen Kluge (Jun 23)
- Re: Web server security? Paul D. Robertson (Jun 22)
- Re: Web server security? Steffen Kluge (Jun 22)