Re: [fw-wiz] Port 37628....Is it just another port or out of the extra ordinary???

From: InHisGrip (servie_platon_at_yahoo.com)
Date: 07/26/04

  • Next message: R. DuFresne: "Re: [fw-wiz] Port 37628....Is it just another port or out of the extra ordinary???"
    To: vbwilliams@neb.rr.com, Mark Tinberg <mtinberg@securepipe.com>
    Date: Mon, 26 Jul 2004 14:12:13 -0700 (PDT)
    
    

    Hi everyone,

    With all due respect and I mean not to offend anyone
    on this thread. I would like to air some of my views
    on this matter.

    To trace back, and for everyone's information. I
    posted to this thread a few days back. As I was
    planning of setting up an apache and postfix server in
    my own home network. I have already installed a pre
    configured and have selected all the packages that I
    need, this includes, apache rpm, postfix, ssh and
    kernel development functionality. So I just chose the
    packages that I needed.

    Now, I have my apache running and serving http pages
    in and out of my small home network. However, I got
    alarmed when I found out using the lsof -i and netstat
     -nplee -A inet commands that there were some services
    and port on a listen mode. So I took the initiative to
    ask some questions to this group because I wanted to
    secure this apache box of mine and my home network.
    Some suggested to remove rpc, nfslock, portmap or what
    have we, to secure my box.

    Though, we all know that practically there is no
    single system here that is impenetrable, well there
    could be one now but maybe not anymore in the near
    future. But looking into the ways and means of
    thwarting or limiting the chances is well worth the
    effort.

    For some in this group may have answered to my
    questions on a harsh note. However, I was still
    fortunate enough to have some tips and valuable
    insights from helpful people like Victor, Luca, Kerry,
    Bruce, Chuck, Paul and even yourself.

    I understand what you mean about your post, though I
    may have a running system and web server at that. I
    could just do up2date and download bugfixes and
    security updates from redhat site if I feel lazy. But
    I felt that I wanted to go beyond that or push myself
    to the limit or to the edge. I hope by doing so, I
    don't fall off the cliff??? lol....

    I do believe that Redhat and other companies who make
    and develop linux distros are 24/7 doing their best to
    make their respective distros secure and safe, no
    doubt about it. And I agree with your point on that
    issue.

    But in fairness to Victor, I think his point is mainly
    to customize one's machine so that only the necessary
    services are put to its optimum performance and
    probably lesser maintenance and security headaches.

    My analogy here is that if I install from the CD
    Fedora Core 2 from scratch with the default
    installation in mind. I will be just getting a sedan
    car for myself.... But if I want to customize this
    sedan car and make it in a rallye racing condition, I
    need to add features and make some changes such as
    rear spoilers, magwheels, side skirt, nitrogen gas
    booster or whatever modification I have in mind. Now,
    if I compile my kernel or do some additional changes
    to this box, I make it into my preferred machine.

    I may not be a linux expert myself since I am new to
    linux. And whatever theories that were taught by my
    instructor from school where all but mere theoritical
    illustrations. It's still the practical application of
    the the lessons or theories in real situation that
    matters most. And for me, I still have a long way to
    go. I am happy that there are still some fine people
    out there who is willing to give a helping hand and I
    appreciate the help.

    I feel humbled to this group because everytime I post,
    I am unsure if someone will read it and bother
    answering it anyways. Though I tried very hard to read
    the books that I have as well as the howtos but as I
    have said, whatever is written in the books/manuals
    may be slightly different in in real scenarios. So, I
    resort to all the user groups in linux that I am
    member of.

    Again, may I take this opportunity of thanking
    everyone on this group who have tried in one way or
    another give some assistance.

    Thank you and more power to this group. Hope you guys
    never get tired of helping out newbies like me. And
    hopefully maybe in the future I may also reply to
    questions and be able to help those in need.

    Thanks a lot guys!!!

    InHisGrip,
    Servie

    --- vbwilliams@neb.rr.com wrote:
    > I don't get your point...if there is one.
    >
    > The kernels that come with any distro are compiled
    > for the masses. I don't compile mine for the
    > masses. I statically compile what I KNOW I need,
    > and everything else is left out. You can't modprobe
    > anything into the kernels I compile...I always
    > remove the ability to do so. If it isn't started at
    > boot time, I'm confident it's not going to get
    > started. I think any internet-facing machine that's
    > actively serving something on the internet for a
    > customer should adhere to that rule. That's my
    > opinion...my opinion isn't going to change because
    > anyone else disagrees with it. It's what I've found
    > to work more than any other method of
    > deployment/implementation over the last decade of
    > working with any distribution of Linux. Likewise,
    > it's also my opinion that any internet facing
    > machine NOT have any *tools* on it that allow the
    > modification and compilation/execution of code on
    > that machine. That means on an internet facing
    > machine I admin, there's no gcc tools on it...it's
    > the
    > bare essentials to run, plus whatever service I
    > need, be it Apache or anything else. DOes that mean
    > I have completely discounted the work that people at
    > Red Hat or the kernel developers have done? No. It
    > just means I don't think their bloat should be on an
    > internet facing machine. My regular workstation and
    > laptop run the full bloat stock Red Hat installation
    > . But there's no way in hell I'd put the same thing
    > on a production machine serving 1 or 2 things, whose
    > hardware will more than likely not change in the
    > next 3-4 years.
    >
    > That is the difference between taking something that
    > someone hands you, or doing it yourself and giving
    > yourself peace of mind because you've decreased the
    > possibility of something getting introduced into
    > your system that could compromise it.
    >
    > Why it would peeve you, I have no idea. I don't
    > just blindly trust what the kernel developers give
    > me either. I testbed EVERY version of the Linux
    > kernel that I'm thinking about deploying, before I
    > ever deploy it...and I look at every change I have
    > time to look at...I look at the changes in release
    > candidates every day...even if it's just eyeballing
    > them. So, no, I don't just blindly trust Red Hat,
    > Suse, or the kernel developers either.
    >
    > And by the way, the last two Red Hat updates for
    > kernels have addressed vulnerabilities in THEIR
    > implementations. Know why any machine I admin
    > wasn't affected even though they were all Red Hat
    > based? Because the kernels I was using were not
    > provided by Red Hat. I ran the
    > vulnerabilities/exploits against them...had no
    > effect. Reason is simple...I wasn't running a
    > version of the kernel that was affected...I was
    > running my own.
    >
    > I do the same thing with OpenSSL, OpenSSH, and
    > Apache...and any other service I NEED.
    >
    >
    > ----- Original Message -----
    > From: Mark Tinberg <mtinberg@securepipe.com>
    > Date: Monday, July 26, 2004 2:15 pm
    > Subject: Re: [fw-wiz] Port 37628....Is it just
    > another port or out of the extra ordinary???
    >
    > > -----BEGIN PGP SIGNED MESSAGE-----
    > > Hash: SHA1
    > >
    > > On Fri, 23 Jul 2004, Victor Williams wrote:
    > >
    > > > 5. A custom kernel is always a better idea vs
    > blindly trusting what
    > > > others have compiled or let leak into theirs. I
    > compile custom
    > > kernels> for any Linux machine (serving internet
    > content/services
    > > or not),
    > > > regardless of the function.
    > >
    > > This attitude is a pet peeve of mine. Why do
    > people assume that
    > > becausethey _can_ build a kernel for themselves
    > that they must
    > > naturally be
    > > better at it then the people at RedHat,
    > SuSE/Novell or Debian who
    > > live,sleep, eat and breathe the kernel all day
    > long. I think that
    > > it is as
    > > much about blindly throwing away all of the work
    > that people who
    > > maintainproduction quality kernels do as it is
    > about trusting
    > > their work. Another
    > > way to put this is, in what is your trust in the
    > vanilla kernel
    > > sources,or your builds, based? Hopefully not
    > blind trust 8^)
    > >
    > > - --
    > > Mark Tinberg <MTinberg@securepipe.com>
    > > Staff Engineer, SecurePipe Inc.
    > > Key fingerprint = FAEF 15E4 FEB3 08E8 66D5 A1A1
    > 16EE C5E4 E523 6C67
    > > -----BEGIN PGP SIGNATURE-----
    > > Version: GnuPG v1.2.1 (GNU/Linux)
    > > Comment: For info see
    > http://quantumlab.net/pine_privacy_guard/
    > >
    > >
    >
    iD8DBQFBBVhBFu7F5OUjbGcRAg9ZAJ0SdeTOytryMxd7Rbg/QydeiEZ9fACeJMEE
    > > y09h92D5AaB9dAwhxSAkN4w=
    > > =AJW0
    > > -----END PGP SIGNATURE-----
    > >
    >
    >

                    
    __________________________________
    Do you Yahoo!?
    Yahoo! Mail is new and improved - Check it out!
    http://promotions.yahoo.com/new_mail
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: R. DuFresne: "Re: [fw-wiz] Port 37628....Is it just another port or out of the extra ordinary???"

    Relevant Pages