SecurityFocus Linux Focus Area 63
WebJunky writes: "SecurityFocus.com has opened a Linux security focus area. It has an opening letter from Bruce Perens and some interesting articles, especially one on installing IPsec under Linux. It also has some tutorials on installing Apache and BIND securely. " Cool stuff, course most of us just stick to bugtraq anyway ;)
easy instal for Linux (Score:2)
Hmmm but who will instal the installer?
Bugs are only part 1 (Score:5)
NT has a decent security model. But Microsoft's goals with NT is functionality, not security. So with file permission defaults such as Everyone: FULL CONTROL and Exchange KM Server Admin passwords being "Password", it's not hard to see that M$ wants Admins to have an easy job. Everything works, but it ain't secure. Although one can configure NT to be secure, it will take many hours of work and tests.
On the other side of the spectrum, consider OpenBSD. Paranoid? Obviously. Everything's off, users have no access to anything, users can't su unless they're allowed. Here, security is well taken care of, but the admin's big job here is opening up the system so users can get some functionality.
Then put Linux in the middle. A relatively secure OS, with (as most distros) almost all daemons running without even asking for them. Shut off sendmail, wu-ftpd, httpd, etc, and boom, magnitudes more security.
Then consider the admin who uses the root account straight through telnet. One co-worker I knew does this on a regular basis, then brags that he's never been cracked!!! Patching bugs is the easy part...
Meaningless (to most) (Score:2)
This is only the default setup. Just because by default windows is setup unsecure, it doesnt mean it is an unsecure os. The same applies to openbsd, if the admin knows what they are doing, then they will be able to choose the level of security needed. If they really don't know what to do, then thats their own fault. All of your fixes could be done in about 2 minutes by someone who has a clue as to what is going on.
actually... I like it (Score:3)
I say, what's wrong with another useful tool
A good thing (Score:1)
As long as he keeps to the same line where security is concerned, this will be one of my favorite sites to check.
Maybe it's because I'm a security nut and my view is slanted toward anybody who preaches security.
I feel that as Linux usage grows, there will be more of a demand for "secondary" considerations. Instead of trying to convince people that Linux is the way to go, there will be a high demand for support for these new users. This comes in the form of specialized tech support and special interest forums. That's just where I see us going in the next year.
Of Course.... (Score:1)
But the reason it has it's own section is because of all the linux related bugs that pop up on
bugtraq. Before i get flamed, just subscribe to Bugtrag and you will see am not lying
Most Linux distributions, specially redhat, ship such a patch job of a distribution, it's quite
Pathetic
Why they choose not to follow the approach that has made the BSD's less bug prone, it's beyond me
I still Eric think Raymond was wrong about a Bazzar versus cathedral dev model
The cathedral model does not make software bug prone, closed source dev does
well, until so, i will continue to laugh at the gnu su man page... and will continue to Use FreeBSD
FreeBSD.... The Choice of those who know how to choose
Re:The secret of life (Score:1)
Up, Up, Down, Down, Left, Right, Left, Right, B, A, B, A, Start.
Hit select between the last A and Start if you want to use the Konami Code for a 2 player game.
Amateur.
love,
br4dh4x0r
Font Size Hurts! (Score:2)
SecurityFocus's Linux section has fonts that are so small as to be completely unreadable on my Mac. Worse yet, they defined these teeny (sub SIZE=1 in HTML) fonts using CSS. Fonts that are defined in CSS can't be changed via prefs in IE or NS, for no good reason.
Now, I'm not some old fuddy-duddy. I like size 1 Georgia and Geneva just as much as the next guy, if not more so. I just wish people would look at their site in a few different browsers. I bet it's got really great info, too. I just can't see it!
I'll go home and see how it looks in M14 on X; maybe it's a bit more legible. I certainly hope so.
-Waldo
Viruses (Score:3)
Linux has at least two major vulnerabilities to viruses. The first doesn't affect Linux directly, but is still embarrasing. If you run Linux as a file server for Win32 machines, and a (usually macro) virus gets a decent foothold in the network, you rely on the Win32 virus checkers to fix it. But they can't (easily) clean it from the file server. The Linux boxes can quite happily continue serving infected files to clean Win32 boxes. Whoops. I believe that we need a native Linux virus checker built as close to the file system as you dare.
The other problem is with binary-only kernel modules that allow connections from userland. Another post today about 'run anywhere' device drivers has exactly this architecture. Unless the supplier of the binary has done a *perfect* security job, there is a possibility that a virus-writer could exploit the binary module to do almost anything to the kernel.
The main protection that Linux has had so far from viruses is the culture of Unix. A Unix programmer good enough to write a virus would spend their time doing something useful. This will change. If even a tiny proportion of the trolls/mp3 warez lusers on this board learn some programming, we could all be in for a difficult time.
Share and Enjoy.
Re:Of Course.... (Score:1)
Suuure... go back to your cave boy
security focus banner ads (Score:1)
I understand and appreciate the fact that banner ads allow a web site to stay in business, but having banner ads that can't be scrolled out of sight is extremely tasteless.
Re:Font Size Hurts! (Score:1)
Re:easy *install* for Linux (Score:1)
I'd much rather wait 10 seconds for a web page with inline screenshots. Same content, much faster, no looking at ESR. Better, no?
Macromedia Linux Support (Score:2)
I use the Linux version of the flash player all the time because my job requires me to view Flash animations.
I don't know if they plan on making a Linux version of the Flash creator, or any other apps, but we may see something like that in the future.
Re:The secret of life (Score:1)
Security: It's the admin, stupid! (Score:2)
Mandrake 7.0 (Score:3)
Re:Meaningless (to most) (Score:1)
Re:Meaningless (to most) (Score:2)
First off, I'll assume you mean NT/2000 by Windows (vs 3.x/95/98/Millenium/CE/whatever), as otherwise you're just totally insane. But it seems to me that it's a lot harder to lock down an NT box than a similiar Linux box (I haven't used *BSD/Solaris/Other enough to comment on them). Yes, NT can be made secure (easy, drop all packets coming from all hosts (or only allow from certain hosts)) - and in fact I know people with machines set up like that. But setting up a sane security policy seems damned hard in NT. Admittadly I don't use it that often and haven't had much experience with it, but I found *nix permissions, tcpd, etc much more 'logical' than NT's setup, even back when I was just starting *nix administration. Part of the problem may be lack of good documentation - I think you can get docs for MS online but c'mon, where are the HOWTOs (or NT equivalent therof)?
OTOH, a Linux distro like say Redhat is fairly easy to secure. Install any updates. Remove r* and telnet, install SSH. Set up Tripwire and a log analyzer and run them from cron. At this point you're probably OK.
Re:Meaningless (to most) (Score:1)
Pardon my ignorance, but can you do that in NT, even portwise - or do you have to use a firewall.
Re:Viruses (Score:1)
I'd agree with you that it's embarrasing, but it should be embarrasing to a large company that shall remain nameless that decided putting a full programming language into their document format was a good idea, not to any Linux user or vendor. But your idea seems reasonable - maybe some sort of plugin for Samba (I'm not sure if the architecture exists for something like that in Samba tho). I certainly wouldn't build it into the filesystem or the kernel, that's just nuts. Especially as something like that is bound to be a proprietary product.
The other problem is with binary-only kernel modules that allow connections from userland.
Good thing binary-only drivers are generally not used.
If even a tiny proportion of the trolls/mp3 warez lusers on this board learn some programming, we could all be in for a difficult time.
I'm really not that concerned. I won't bother with the usual arguments about users and permissions, the fact that a virus must exploit a root-shell getting vulnerability in order to do it's thing right, etc, as I'm sure you heard them before. And there is a fairly fast upgrade cycle among most OSS using people (ie, upgrade to the newest RH every 6 months, whatever). So there is a fairly limited window in order to get infected and spread it to others. Also most software comes from a few places (Distro FTP sites, rufus, metalab, tsx-11, etc), rather than (like the doze world) warez getting passed around on CD-Rs and suchlike.
It's good that we have options (Score:1)
As someone without the most experience, I like knowing that I have a range of choices when it comes to security. If I want to be paranoid, I can use OpenBSD, and learn to set up the extra stuff I want. If I want to have more fun, I can use linux and learn to turn off the junk I don't wank. And if I just want to screw around and put up with the occasional crash, I can use Windows, and avoid doing anything patently stupid.
Hopefully though, security will start to become the default in more places than OpenBSD. It will be interesting to see what happens with respect to computer security over the next few years; as more people get connected to broadband and the net in general, will a similar increase in compromised systems force people to worry about it more? or will the level of computerized mischief remain low enough that only the semi-paranoid put security as their first design priority?
Re:The secret of life (Score:1)
Re:Security: It's the admin, stupid! (Score:1)
This ones easy.
There ain't simply no hardware which could stand such a loaded NT, that's the reason why it doesn't happen.
SCNR,
Re:security focus banner ads (Score:1)
[X] Disable animated GIFs
[X] Disable auto-refresh
Re:Meaningless (to most) (Score:2)
Re:Security: It's the admin, stupid! (Score:1)
Re:Of Course.... (Score:1)
?
HEH
securityfocus site - more content, less html fluff (Score:4)
Their site has so much unnecessary formatting and takes so long to load. Obviously they're not interested in attracting unix sysadmins, or mobile users using a mobile browser.
I recommend http://packetstorm.securify.com - they still have a medium amt. of html fluff, but at least it works in lynx.
Securityfocus Banner Ads - HowTo (Score:3)
2) Find the shit you actually want to look at and right click, Open frame in a new window.
3) Close original Netscape thus killing the three ring circus that is securityfocus.com, denying them the ability to spam your brain to death with thier useless drivel. Assuming that closing Netscape didn't cause Netscape to bus error and close all Netscape windows, you can read what you want in peace. This works well with the bugtraq archive.
Whoever designed that site is a raging alcoholic, I think.
How to tell if you're running a vulnerable BIND (Score:3)
Check your named directory and see if there is a subdirectory named "ADMROCKS". If it's there then you are running a vulnerable BIND and have been owned. If it's not there then you are probably safe.
Really. It's that bad.
(If you don't know, "ADMROCKS" is the footprint left by a popular BIND exploit.)
Re:Bugs are only part 1 (Score:3)
Win2000 supposedly fixes this by being tight enough to refuse to run poorly written Win95 programs when running as a member of the "Users" group. Unfortunately, certain popular programs (errh, Office 97) won't run for "Users".
Even today, software is being developed that is not compatible with NT's multi-user security model (ERRRHHMM, Mozilla -- go vote for bug 6464 [mozilla.org]), even when a Unix port is designed correctly.
So, it looks like that NT Admins will need to go on granting local "Power User" or "Administrator" authority to their users, negating any security advantages of NT's design.
--
Re:The secret of life (Score:1)
Re:Meaningless (to most) (Score:1)
Well, I'm not exactly the kind of person you want to ask for NT security, but I'm pretty sure it's possible. Though maybe not in Workstation (never really looked)? Most of the serious NT users I know run Server - maybe it comes with some firewalling capability? I should hope so, anyway...
And of course you can always unplug the network. Hey - then you have a C2 system.
Re:Font Size Hurts! (Score:1)
Re:The secret of life (Score:1)
Re:Meaningless (to most) (Score:3)
NT2000 could fix a lot of this though. I haven't used it.
Re:Viruses (Score:2)
Wow! That's pretty offensive - lumping everyone who does or advocates anything illegal or stupid into one big fat label. I am not a troll, although I have been called one (stupid moderators have no sense of humor
For the record, RMS has stated that he shares his music - are you going to accuse him of being a virus author?
Fucknut.
Re:easy *install* for Linux (Score:2)
There is text, and when you click the 'start' button, the cursur on the screenshot does something, and you see what happens - i.e. if it is a documentation page on writing 'helloworld.c', it would show the user opening the IDE, starting a project / loading a file / whatever, typing in the code, going to the 'compile' IDE option, and executing the executable (for arguments sake, of course).
It's a pretty good idea for certain applications. For 99% of traditional UNIX stuff, it's dumb (err, how is that useful if I want to configure Apache?). But for stuff like GUI design tools (the GIMP, video editors, etc), it could be pretty neat (for newbies at least).
Macromedia bundles the movies with the product (as a direct part of the documentation), so you don't have to download them.
Re:A good thing (Score:2)
Thanks
Bruce
Re:actually... I like it (Score:2)
Re:Font Size Hurts! (Score:1)
Re:Viruses (Score:1)
Re:Of Course.... (Score:2)
Christ, if we spent as much time worrying about security as we did about OS holy wars, we'd be soooooo much better off.
matt
Re:actually... I like it (Score:1)
Re:Font Size Hurts! (Score:1)
Re:Viruses (Score:3)
Maybe I'm misunderstanding you, but when I use Linux as a file server (Samba), and there is a virus which has infected files being served from the fileserver, I launch a scanner on the Windoze client's mounted network drive and it detects, cleans, disinfects just as if the drive were a Windoze drive. Windoze thinks the Linux share is a Windows network drive, scanner (Norton, NA, etc.) is perfectly willing to scan it, and viruses are detected and removed.
Of course the client doing the scanning has to have sufficient privilege to do the scanning and disinfecting, but I consider this a feature above and beyond what is allowed by NT. On my shares I generally use Linux file permissions to lock down binaries, so the luser who can munge his own files to his heart's content can read and run shared .exe's, but not write to them, even on the same share.
Re:Font Size Hurts! (Score:1)
Wonderful. My moment of mirth has marked me like a Paris fire hydrant, marked me for the warm, wet ire of Apple fans.
Away with you, away...
Re:actually... I like it (Score:1)
securityfocus == bugtraq (Score:2)
Hmm. Did you know that bugtraq has been part of securityfocus.com for a while now? Or were you just trying to be buzzward compliant?
Re:Viruses (and why they will come in time) (Score:2)
Well there are two debates in that last statement, and ill get to them both.
First. Linux has to accept Closed Source for this to happen. There is going to be no way that applications are going to make it to the penguin without this.. and when they do.. there are going to be the people who are going to not want to pay for them.
Boom.. viruses will come that way
Second, the linux community is a fairly clean one, with people out there to help and promote the OS. Windows, is just a bunch of people using the easiest software. What if linux overthrows Windows? Its gonna trade places. Malicious code is going to go from the hands of the bored to the machines of the unwitting. RIght now the community is actively involved with the good of the community, and there are very few people "forced" into using the software.
It will come with the degradation of the user base, if linux gets to that point. Linux cant sell without marketing to the masses.. the same masses that will bring troubles to this group.
It almost seems like linux does better with MS around... food for thought
--jay
SecurityFocus: Security Audit for Linux (Score:1)
I think Linux is due for an official, top to bottom security audit.
Do you think so?
Re:Viruses (Score:1)
I've heard that such products exist for Linux, but I can't name one off the top of my head.
--
Re:easy instal for Linux (not feasible) (Score:1)
Linux is too diverse for even an interactive tutorial to truely give it justice. And it would be difficult with all the distros in mind.
Besides how marketable is that. Linux right now is only used by those in the know. And they all like "man" better anyway....
--jay
PAM is your firend! (was Re:Of Course....) (Score:2)
Just patch su with to support PAM, add the apporpriate line to the
and presto! Wheel support!
Some distros (RedHat, Debian) have PAM support compiled in but you still have to edit your PAM config files.
Re:Meaningless (to most) (Score:1)
It is a bit hidden down in the network settings dialogs, however.
I guess it works like this:
(I don't have an english NT, so bear with my translation, please.)
- network properties
- TCP/IP properties
- options on "IP address" pane
- check "activate security"
- list the allowed ports.
I guess you can do it only interface-based,
not source-address-based, though.
HTH
Re:Font Size Hurts! (Score:1)
Re:Security: It's the admin, stupid! (Score:1)
Re:Macromedia Linux Support (Score:1)
--
Cheers
Re:Meaningless (to most) (Score:1)
Re:Security: It's the admin, stupid! (Score:1)
Cheers.
-binner
How to make SecurityFocus the least bit usable? (Score:1)
Of all people, SecurityFocus should understand that there is no way I'm turning off my Proxomitron to look at their site.
I can't even read it with Lynx! After about a minute of waiting for a reply, I get an "unexpected network read error", and Lynx exits! Who ever heard of a web site crashing Lynx, for Bob's sake?!? Double and triple argh!!!
Seriously: Any and all suggestions appreciated. I want to be able to read SecurityFocus, is that so wrong?
(Does anybody else think that SecurityFocus might just be a huge honeypot infected with all sorts of browser vulnerability exploits? Naah, me neither.)
Re:Viruses (Score:1)
Actually, considering the effects of the GNU GPL and some people feelings that its 'viral' in nature, accusing him of being a virus author isn't exactly far fetched.