Re: [fw-wiz] Web server security?

From: Steffen Kluge (kluge_at_fujitsu.com.au)
Date: 06/23/04

  • Next message: Shimon Silberschlag: "Re: [fw-wiz] VLAN Security" 
    To: firewall-wizards@honor.icsalabs.com
Date: Wed, 23 Jun 2004 11:49:19 +1000

    On Wed, 2004-06-23 at 01:32, Paul D. Robertson wrote:
    > And the whole hook design is broken, because all kernel data gets exposed
    > to any module that likes to register - what an invitation to root kit
    > authors.

    That's an interesting point, in fact, I've always advocated (and
    practised) the use of kernels without loadable module support for
    Internet exposed machines. Loadable kernel modules are simply too nice a
    playground for attackers and a deluxe and simple way of installing
    backdoors (at least on non-capability enables systems)

    I haven't looked into grsecurity closely enough to have an opinion, so
    far I've been using Solar Designer's (OpenWall) patches.

    Finally, I'm a satisfied user of the BastilleLinux scripts that among
    other things remove a lot of setuid madness and also remove execute
    permissions for non-privileged users from a lot of utilities - reliably,
    reproducibly and all in one fell swoop. After all, an Internet server is
    not a development platform or workstation...

    Since mjr's recommended approach to building secure servers (starting
    from nil and adding only what one really needs) doesn't scale too well
    for me, and my time/resource constraints dictate that I re-use what
    other people have packaged and will update/support, I usually start with
    off-the-shelf systems and customise and strip them down as good as I
    can.

    Cheers
    Steffen.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Shimon Silberschlag: "Re: [fw-wiz] VLAN Security"