Re: [fw-wiz] Securing a Linux Firewall

From: Brian Hatch (firewall-wizards@ifokr.org)
Date: 07/23/02

• Next message: Paul Robertson: "RE: [fw-wiz] Securing a Linux Firewall"
• Previous message: Carson Gaspar: "RE: [fw-wiz] Securing a Linux Firewall"
• In reply to: Carson Gaspar: "Re: [fw-wiz] Securing a Linux Firewall"
• Next in thread: Frederick M Avolio: "Re: [fw-wiz] Securing a Linux Firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Brian Hatch <firewall-wizards@ifokr.org>
To: Carson Gaspar <carson@taltos.org>
Date: Tue Jul 23 17:13:01 2002

> OK - as someone who seems to represent the "remove the executables" camp,
> can you explain your reasoning? I've never been able to understand _why_
> removing files buys you anything?
>
> (See my previous post for my strategy - castrate all priveleged binaries,
> turn off all services, and turn logging to high)

Naturally there's the theory that 'anything you make available is another
potential vulnerability'.

I also like to remove unneeded executables (or rather the packages
(deb/rpm/etc) themselves in whole) because it makes it more annoying
to a cracker to need to upload programs like 'grep' when they're not
on the system. Nuke 'ls' and see how many crackers will leave because
it's not worth the time.

But more importantly, any software that can be a daemon you should
remove. Why? Because when you update your software (rpm -F with
newest rpms, or apt-get update your debian box) it may turn that
program back on by default. So why have it installed at all?

--
Brian Hatch                  "I see you are as
   Systems and                willful as ever."
   Security Engineer         "Far more, I've greatly
http://www.ifokr.org/bri/     improved, I've had
                              more experience."
Every message PGP signed

---

• application/pgp-signature attachment: stored

---

• Next message: Paul Robertson: "RE: [fw-wiz] Securing a Linux Firewall"
• Previous message: Carson Gaspar: "RE: [fw-wiz] Securing a Linux Firewall"
• In reply to: Carson Gaspar: "Re: [fw-wiz] Securing a Linux Firewall"
• Next in thread: Frederick M Avolio: "Re: [fw-wiz] Securing a Linux Firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Known exploits for rpm tools? ... > account rpm is locked as you can see from /etc/passwd, ... Here is why you need a FORMAT and clean install when your box IS cracked. ... The cracker may not have installed a rootkit. ... If you have a spare linux computer, you can use it to port scan ... (comp.os.linux.security) Re: /lib/security/.config ... >>> each one carefully to see if it was modified by you or by a cracker. ... > personal Linux firewall I've noticed that crackers have never bothered ... > to modify RPM. ... often enough to gain an opinion on what crackers install? ... (comp.os.linux.security) Re: 2 versions of librsvg2 after updates on fresh install of FC5 ... deletes from apt-get update, and the last entry is. ... Then try removing the earlier package and see what happens (with rpm -e ... you're very unlikely to see any real problems. ... (Fedora) Re: errors when I do a "rpt-get update" ... #Don't edit this file. ... #apt-get update && apt-get dist-upgrade ... rpm http://ayo.us5.freshrpms.net fedora/linux/3/i386 core updates ... (linux.redhat) [SLE] apt-get updates ... I ran apt-get update and the output shows this for example: ... But when I run rpm -qa | grep zope-doc I get this: ... Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com ... (SuSE)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Firewall-Wizards  > 2002-07