Full Disclosure mailing list archives
Re: !SPAM! Automated ssh scanning
From: Ron DuFresne <dufresne () winternet com>
Date: Thu, 26 Aug 2004 12:20:02 -0500 (CDT)
Then we are in agreement sir <smile>. Most folks 'install' the kitchensink, needed or not, with little or no knowledge of their level of exposure. Exposed systems need special care taken, as well as 'client' machines. Thanks, Ron DuFresne On Thu, 26 Aug 2004, Barry Fitzgerald wrote:
Ron DuFresne wrote:If your uasers are not trustable, then they should not have access to local systems of yours. Once a person has a shell, then they are 95% to root.I'm not sure I entirely agree with what you're saying. Scratch that - I'm sure I don't agree with what you're actually saying here -- though I probably agree with what I think you mean. If you mean that most default installs have so many packages and that many of those packages have methods that most people don't know about of getting around security barriers, then I agree with you. If you mean that even having a shell on a system means that the person will eventually get root access, I'm forced to disagree. It depends on a number of things; including packages installed, their configuration; the presence of SUID programs; the ability to compile/run code... Actually locking down a system is not easy, but unlike with MS Windows, you're not going to break the system by doing it properly. (Read the filesystem heirarchy standard for some ideas on why that is.) So, if someone can log into a shell on any *nix system and gain root -- there's still something wrong. It can't just be written off as "well if you can get shell you can get root, so don't let them get shell"... that's a cop-out argument and if that's the case, then why are we even bothering to secure anything anyway?!? The shell is just an interface - it's security status is only as good as the tools available to it and it's configuration. -Barry p.s. Not trying to ruffle feathers, simply calling it like I see it.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: !SPAM! Automated ssh scanning Todd Towles (Aug 26)
- RE: !SPAM! Automated ssh scanning Richard Verwayen (Aug 26)
- RE: !SPAM! Automated ssh scanning Ron DuFresne (Aug 26)
- Re: !SPAM! Automated ssh scanning Tremaine (Aug 26)
- Re: !SPAM! Automated ssh scanning Richard Verwayen (Aug 26)
- Re: !SPAM! Automated ssh scanning Jan Luehr (Aug 26)
- RE: !SPAM! Automated ssh scanning Ron DuFresne (Aug 26)
- Re: !SPAM! Automated ssh scanning Barry Fitzgerald (Aug 26)
- Re: !SPAM! Automated ssh scanning Ron DuFresne (Aug 26)
- RE: !SPAM! Automated ssh scanning Richard Verwayen (Aug 26)
- Re: !SPAM! Automated ssh scanning Jan Luehr (Aug 26)
- Re: !SPAM! Automated ssh scanning Ron DuFresne (Aug 26)
- Re Automated ssh scanning Mister Coffee (Aug 26)
- <Possible follow-ups>
- RE: !SPAM! Automated ssh scanning Todd Towles (Aug 26)
- RE: !SPAM! Automated ssh scanning Stephen Agar (Aug 26)
- RE: !SPAM! Automated ssh scanning Ron DuFresne (Aug 26)
- Re: !SPAM! Automated ssh scanning Tremaine (Aug 26)
- Re: !SPAM! Automated ssh scanning Richard Verwayen (Aug 26)
- Re: Automated ssh scanning Matt Zimmerman (Aug 26)
- RE: !SPAM! Automated ssh scanning Ron DuFresne (Aug 26)