Re: Locking Down a Linux Box

From: Paul Lussier (pll@mclinux.com)
Date: 01/03/02


To: Seth Arnold <sarnold@wirex.com>
Date: Thu, 03 Jan 2002 09:59:03 -0500
From: Paul Lussier <pll@mclinux.com>


In a message dated: Wed, 02 Jan 2002 13:47:55 PST
Seth Arnold said:

>On Mon, Dec 24, 2001 at 01:00:08PM -0500, Jimi Thompson wrote:
>> Third, before placing the machine in the DMZ, we always uninstall all
>> the text editors (VI, EMACS, etc.). This way even if the box is
>> hacked, they have a LOT of work in front of them to actually DO
>> anything to it. (Can you imagine having to run "ed" on the httpd.conf
>> or html pages?) We also uninstall any compilers and browsers as well
>> (gcc, lynx, etc.). =20
>
>Heh, I'm sure practically every unix-ish admin can give you dozens of
>ways to edit files without vi or emacs... In other words, while this
>will provide a serious annoyance for you, hackers are liable to be able
>to edit files all the same.
>
>I'd suggest holding onto your text editors, so that you don't mind
>working on the machines you have to adminster.. :)

Yeah, removing text editors is just a pain to yourself. If I'm going
crack into a box and change files, I don't need an editor. Once I
can get to the box, I move remotely edited files to it in a number of
ways, or, just reload the text editors.

Besides, are you also going to remove things like sed, awk, tr, mv,
cat, pr, etc.? Are you going remove shell built-in commnds like
echo, and disable I/O redirection (<,>,|, <<, and >>) ?

Also, you may think editing html or config files with ed is a
daunting and overwhelming task, but remember, there are people who
remember when ed was light-years more advanced than what came before.
In other words, there are still people around today who know how to
use, and *can* use ed quite efficiently. If that's all you leave
them, they'll use it.

-- 

Seeya, Paul ----

God Bless America!

...we don't need to be perfect to be the best around, and we never stop trying to be better. Tom Clancy, The Bear and The Dragon