Re: [vox] Who opened the floodgates?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [vox] Who opened the floodgates?
Peter Jay Salzman writes:
> when it comes down to it, 3 things and 3 things only make a home system
> secure:
>
> 1. good passwords
> 2. not using plaintext authentication
> 3. being careful about CGI's.
>
> if you follow these three steps and leave on a service, even a service
> with a bad track record like nfs or pserver, i'd bet you'd still be OK
> to guard a home system.
Sorry, Pete, but I don't think this cuts it. Think how many times
people have been compromised over Sendmail or BIND regardless of how
much attention they pay to those three points. Therefore, I'd add a
few other points:
4. Never run anything as root, unless absolutely necessary.
5. If you must run as root, get out of root-hood as absolutely soon as
possible.
6. If as absolutely soon as possible isn't nearly immediate, or you
must run as root for some time, be in a minimal, chrooted environment.
There are many, many exploits which do not rely on bad passwords,
plaintext authentication, or crappy CGIs. Many exploits rely on
buffer-overrun opportunities springing from poorly written but
innocent-seeming code - on at least one occasion, the code turned out
to be glibc. That sort of case is very hard to guard against, so
better to be paranoid than to assume everything's okay.
In fact, most good root exploits I've heard of don't have anything to
do with password authentication.
Just my 2¢, of course...
Micah
_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox
|
