[rescue] Re: Solaris security

Ido Dubrawsky rescue at sunhelp.org
Sun Jul 29 22:10:07 CDT 2001 

--nFreZHaLTZJo0R7j
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Jul 29, 2001 at 12:01:21PM -0500, rescue-request at sunhelp.org wrote:
> David Passmore <dpassmor at sneakers.org> wrote:
>=20
> > * If you run SSH, compile in TCP wrapper support and ACL it too. Contra=
ry to
> > the delusions of many sysadmins, SSH is not invulnerable.
>=20
> Unfortunately for me, one of the main reasons I run sshd is so that I can
> access my box from anywhere in the world.  Therefore TCP wrappers aren't
> really an option.  I realise it ain't invulnerable, but it is at least
> bullet-proof :-).
>=20
  That is true...if you're trying to provide access from anywhere in the wo=
rld,
TCP wrappers in SSH just doesn't work.  Since I want to access my system fr=
om
wherever I go, I use SSH but with only with RSA authentication.  Access can
only be acheived by connecting to my network at home through my laptop. =20
Eliminates the brute-force password guessing problem quite nicely.  The only
other thing that I do at home is have ingress and egress filters on my rout=
er
as well as run snort to monitor traffic to ports 22, 25, and 443.
>
> > * If possible, run your network services (web, etc) in a chroot'ed
> > environment, so if they are compromised, they cannot leverage it to get=
 root
> > access on the box. If you have machines which must trust each other in =
some
> > way (say, to do an automated nightly scp of files) make /damn sure/ this
> > happens in a chroot'ed environment.
>=20
> chroot isn't invulnerable either of course - although every little bit
> helps.
>
There are some nice papers on breaking out of a chroot'ed jail...I'll have =
to
dig up the URLs and post them.
>=20
> > Don't rely on a firewall or filtering software. Well-meaning, authorized
> > users tend to punch nasty holes in them when they find them inconvenien=
t.
>=20
To deal with such users, you really need to use tight egress filtering...on=
ly
allow out what you want to let out.
>
> Even without such users, still don't rely on a firewall or packet filteri=
ng.
> Don't rely on any single technological measure.
>=20
Very true.  If you're going to put a box out on the internet you should use
a firewall along with both a network intrusion detection system /AS WELL AS=
/ a
host-based intrusion detection system.  I wrote some documentation when I=
=20
worked at a previous employer describing a Solaris box I built (SPARC 10)
running a minimized Solaris 7 with Apache/mod_ssl as well as the UCD SNMP
software.  It was designed to run MRTG to monitor traffic in and out of the=
=20
data center they had in Virginia.  If I can find the specs/docs I'll e-mail
them to Bill for posting if anyone's interested.

Ido
--=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D
                        |Ido Dubrawsky               E-mail: idubraws at cisco=
.com
     |          |       |Network Security Engineer
    :|:        :|:      |Cisco Secure Consulting Services
   :|||:      :|||:     |Cisco Systems, Inc.
=2E:|||||||:..:|||||||:.  |Austin, TX. 78759
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D

--nFreZHaLTZJo0R7j
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBO2TP+yvdAjj7YsWhEQIlLgCfSFOYWyVaz/X38+CQ1M8yfNbmCnAAoPof
m3i6Wm4P+8sIePT8EXRb6QVf
=UEZb
-----END PGP SIGNATURE-----

--nFreZHaLTZJo0R7j--

More information about the rescue mailing list