Secure By Default - PLEASE! - openSUSE Security

Secure By Default - PLEASE!

Nix

22 Aug 2000 22 Aug '00

01:06

How bout it SuSE? I have bought every version of SuSE since 5.0, I have Installed >30 SuSE servers for various clients and given away 200 copies of the SuSE 6.4 demo CD at a Govt Expo (in Australia) (Thanks to Michaela Geuthner [mailto:mg@suse.de] for the promo material he shiped me at short notice from Germany) I love SuSE, and thinks it's the best Distro available, yet, a disabled by default policy would IMHO be the best thing SuSE could ever do. As far as I'm concerned the only thing that should be enabled by default is sshd and _thats's_ even debatable. Face it, it's not going to make it any harder for your average desktop flunkie who want's to setup a kde box and browse the web. If they want to run a personal web server or ftp server then that _should_ know how to enable it from inetd.conf etc, or they should NOT be running the thing. I think the harden SuSE script, and SuSE firewall is brilliant, but half of the things harden_suse does should be _default_ not options available in an optional package in the sec series.... PLEASE PLEASE make a few simple changes to the defaults to help make SuSE the most secure Mainstream linux distro out there in. Peter Nixon Senior Security Consultant IT Audit & Consulting (ITAC) Pty Ltd http://www.itaudit.com.au mailto:petern@itaudit.com.au --snip--

...

To: BUGTRAQ@SECURITYFOCUS.COM

Aleph One wrote:

...
CERT Advisory CA-2000-17 Input Validation Problem in rpc.statd

Original release date: August 18, 2000 Source: CERT/CC

A complete revision history is at the end of this file. .. RedHat

http://www.redhat.com/support/errata/RHSA-2000-043-03.html

It should be noted that Red Hat states: "Although there is no known exploit for the flaw in rpc.statd, Red Hat urges all users running rpc.statd to upgrade to the new nfs-utils package."

This is wrong.

Because of a message posted by "ron1n - " on the 5th of August to Bugtraq.

I quote: "Included below is an exploit for the recently exposed linux rpc.statd format string vulnerability[0]. I have tailored it towards current Redhat Linux 6.x installations. It can easily be incorporated into attacks against the other vulnerable Linux distributions."

I hope Red Hat updates this information. Although I really hope they'll just disable rpc.* services, most things in inetd, and other daemons *BY DEFAULT*. If a user can't figure out how to turn on a service, they probably shouldn't be running the service in the first place. This alone would stop most of the "remote root in default" problems that Red Hat (and other Linuxes) seem to face. OpenBSD gets this correct, how hard can it be for the various Linux distrubtions to insert some #s in inetd.conf, or have things chmod -x by default?

-- www.kuro5hin.org -- technology and culture, from the trenches.

Show replies by date

Kurt Seifried

22 Aug 22 Aug

04:02

New subject: [suse-security] Secure By Default - PLEASE!

...

How bout it SuSE? I have bought every version of SuSE since 5.0, I have Installed >30 SuSE servers for various clients and given away 200 copies of the SuSE 6.4 demo CD at a Govt Expo (in Australia) (Thanks to Michaela Geuthner [mailto:mg@suse.de] for the promo material he shiped me at short notice from Germany) I love SuSE, and thinks it's the best Distro available, yet, a disabled by default policy would IMHO be the best thing SuSE could ever do. As far as I'm concerned the only thing that should be enabled by default is sshd and _thats's_ even debatable. Face it, it's not going to make it any harder for your average desktop flunkie who want's to setup a kde box and browse the web. If they want to run a personal web server or ftp server then that _should_ know how to enable it from inetd.conf etc, or they should NOT be running the thing.

Prolly won't happen, as most users are more concerned about usability then security (simple fact of life).

...

I think the harden SuSE script, and SuSE firewall is brilliant, but half of the things harden_suse does should be _default_ not options available in an optional package in the sec series....

Shouldawouldcoulda but don't.

...

PLEASE PLEASE make a few simple changes to the defaults to help make SuSE the most secure Mainstream linux distro out there in.

I think a solid middle ground would be to ship something like bastille-linux (getting quite advanced especially with support from Mandrake), and really strongly urge users to run it. If you want secure by default use OpenBSD, personally I find a lot of issues with OpenBSD (no POP/IMAP server, they have had several remote root holes in dhcpd client and ftp, but they claim these are not "default"...).

...

Peter Nixon

Kurt Seifried SecurityPortal, your focal point for security on the net http://www.securityportal.com/

Nix

04:12

New subject: [suse-security] Secure By Default - PLEASE!

--snip--

...

...
I love SuSE, and thinks it's the best Distro available, yet, a disabled by default policy would IMHO be the best thing SuSE could ever do. As far as I'm concerned the only thing that should be enabled by default is sshd and _thats's_ even debatable. Face it, it's not going to make it any harder for your average desktop flunkie who want's to setup a kde box and browse the web. If they want to run a personal web server or ftp server then that _should_ know how to enable it from inetd.conf etc, or they should NOT be running the thing.

Prolly won't happen, as most users are more concerned about usability then security (simple fact of life).

...
I think the harden SuSE script, and SuSE firewall is brilliant, but half of the things harden_suse does should be _default_ not options available in an optional package in the sec series....

Shouldawouldcoulda but don't.

...
PLEASE PLEASE make a few simple changes to the defaults to help make SuSE the most secure Mainstream linux distro out there in.

I think a solid middle ground would be to ship something like bastille-linux (getting quite advanced especially with support from Mandrake), and really strongly urge users to run it. If you want secure by default use OpenBSD, personally I find a lot of issues with OpenBSD (no POP/IMAP server, they have had several remote root holes in dhcpd client and ftp, but they claim these are not "default"...). Kurt Seifried

Bah.. OpenBSD get's up my nose... almost as much as OpenBSD users do. Elitist bunch of F&*K&^R&. I have installed OBSD a few times and user it when I have to.... I think SuSE does it the _correct_ way, they have the suff there with all the config files, you just need to un comment out the bit you want. I just want a few more services disabled by default is all. I'd even settle for having things like apache running, just, please comment out more things in inetd.conf!!!!! Cheers Peter Nixon Senior Security Consultant IT Audit & Consulting (ITAC) Pty Ltd http://www.itaudit.com.au mailto:petern@itaudit.com.au

Thomas Biege

06:30

New subject: [suse-security] Secure By Default - PLEASE!

Hi,

...

...
PLEASE PLEASE make a few simple changes to the defaults to help make SuSE the most secure Mainstream linux distro out there in.

I think a solid middle ground would be to ship something like bastille-linux (getting quite advanced especially with support from Mandrake), and really

If people use the tools we deliver with SuSE + their brains (note: we don't ship brains with SuSE), then they could get a very secure system within a short time of work.

...

strongly urge users to run it. If you want secure by default use OpenBSD, personally I find a lot of issues with OpenBSD (no POP/IMAP server, they have had several remote root holes in dhcpd client and ftp, but they claim these are not "default"...).

Hrhr... 'secure by default' nice buzzwords. AFAIK /usr/bin isn't audited and neither all the ports are. It's 99% secure as long as you just use the default install but then it's not a very productive system; third party software is as buggy as the stuff on FreeBSD or Linux or whatever. I like, use and support OpenBSD, but it's not a modern unix. And will never be, because the man power is missing. SuSE 7.0 hast a YaST2 module, that allows the not-so-experienced User to modify /etc/inetd.conf in a easy way, to shut inetd off (even YaST1 ask for this) or to use a default /etc/inetd.conf. In future more security modules will be added to YaST2. The experienced-power-ueber User uses vi or sed to edit the config-files and make their box secure. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47

Nix

07:00

New subject: [suse-security] Secure By Default - PLEASE!

At 08:30 AM 8/22/2000 +0200, Thomas Biege wrote:

...

Hi,

...
...
PLEASE PLEASE make a few simple changes to the defaults to help make SuSE the most secure Mainstream linux distro out there in.

I think a solid middle ground would be to ship something like bastille-linux (getting quite advanced especially with support from Mandrake), and really

If people use the tools we deliver with SuSE + their brains (note: we don't ship brains with SuSE), then they could get a very secure system within a short time of work.

*grin* Yes, I totally agree with you, which is why I love SuSE so much. I guess I just would like it to be just a "little bit" more secure out of the box. Most newbies wouldn't know whether or not they have "finger" running for instance and anyone who's ever used any unix system for longer than a few hours should know how to re-enable it in inetd...

...

...
strongly urge users to run it. If you want secure by default use OpenBSD, personally I find a lot of issues with OpenBSD (no POP/IMAP server, they have had several remote root holes in dhcpd client and ftp, but they claim these are not "default"...).

Hrhr... 'secure by default' nice buzzwords. AFAIK /usr/bin isn't audited and neither all the ports are. It's 99% secure as long as you just use the default install but then it's not a very productive system; third party software is as buggy as the stuff on FreeBSD or Linux or whatever.

Agreed...

...

I like, use and support OpenBSD, but it's not a modern unix. And will never be, because the man power is missing.

One of the main reasons man power is missing from the OBSD team is that they are all so "high and mighty"

...

SuSE 7.0 hast a YaST2 module, that allows the not-so-experienced User to modify /etc/inetd.conf in a easy way, to shut inetd off (even YaST1 ask for this) or to use a default /etc/inetd.conf. In future more security modules will be added to YaST2.

Excellent, Unfortunately I am still waiting for the first shipment of SuSE 7.0 to get to Australia. (I have already paid www.everythinglinux.com.au now I wait......)

...

The experienced-power-ueber User uses vi or sed to edit the config-files and make their box secure.

Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47

Please keep up the good work, and I wait impatiently for SuSE 7 to make it "down under" Peter Nixon Senior Security Consultant IT Audit & Consulting (ITAC) Pty Ltd http://www.itaudit.com.au mailto:petern@itaudit.com.au

Norbert Preining

07:20

New subject: [suse-security] Secure By Default - PLEASE!

On Tue, 22 Aug 2000, Thomas Biege wrote:

...

If people use the tools we deliver with SuSE + their brains (note: we don't ship brains with SuSE), then they could get a very secure system within a short time of work.

This is NOT a good idea. Either the default install (and the default install for most people is `ALL') enables all the services, which IS crazy! No idea why identd, and similar have to run on a dialin machine? Even at the university where I have installed some susis, I alwyas have to maually shut down all the irrelevant and dangerous services. Services like telnet can be hacked or exploited very easy!

...

Hrhr... 'secure by default' nice buzzwords. AFAIK /usr/bin isn't audited and neither all the ports are. It's 99% secure as long as you just use the

Nobody says if you turn of all unnecessary services the system is secure, but it is MORE secure than standard and at least a pc all the time linked up to the inet is not as vulnerable as before.

...

SuSE 7.0 hast a YaST2 module, that allows the not-so-experienced User to modify /etc/inetd.conf in a easy way, to shut inetd off (even YaST1 ask for this) or to use a default /etc/inetd.conf. In future more security modules will be added to YaST2.

Thats good news!

...

The experienced-power-ueber User uses vi or sed to edit the config-files and make their box secure.

thats true, but there are not only power users! The other way round would be better: experienced-ueber-drueber-power users can turn on all the services they need easily and fast! -- ciao norb +-------------------------------------------------------------------+ | Norbert Preining http://www.logic.at/people/preining | | University of Technology Vienna, Austria preining@logic.at | | DSA: 0x09C5B094 (RSA: 0xCF1FA165) mail subject: get [DSA|RSA]-key | +-------------------------------------------------------------------+

Steffen Dettmer

08:36

New subject: [suse-security] Secure By Default - PLEASE!

* Norbert Preining wrote on Tue, Aug 22, 2000 at 09:20 +0200:

...

On Tue, 22 Aug 2000, Thomas Biege wrote:

...
If people use the tools we deliver with SuSE + their brains (note: we don't ship brains with SuSE), then they could get a very secure system within a short time of work.

This is NOT a good idea. Either the default install (and the default install for most people is `ALL') enables all the services, which IS crazy! No idea why identd, and similar have to run on a dialin machine?

I think, if you're a more experienced user, you will have no problem with disabling services. If you have a lot of machines, the just generate a patch (or patch-set), and a little script that uses SSH to patch or somethink similar, you know. If you're a "newbee" you probably want to take just a look. newbees don't know how to disable services (this is not linux specific, and a GUI frontend won't help; see i.e. NT: most boxes have unused services). They just want features. To explain a newbee how to enable a service could take serveral minutes for the hotline. An experienced user isn't needing such help. For me the default config does not matter very much. Patch is installed anyway, so it takes some seconds to get a new config :) IMHO. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.

Thomas Biege

08:39

New subject: [suse-security] Secure By Default - PLEASE!

Hi,

...

...
If people use the tools we deliver with SuSE + their brains (note: we don't ship brains with SuSE), then they could get a very secure system within a short time of work.

This is NOT a good idea. Either the default install (and the default install for most people is `ALL') enables all the services, which IS

we don't sell a hyper-secure Linux, we sell a nearly complete and useable Linux. we have to go the small path between security and useablity, and in my opinion we do that very well.

...

crazy! No idea why identd, and similar have to run on a dialin machine?

identd: for IRC

...

Even at the university where I have installed some susis, I alwyas have to maually shut down all the irrelevant and dangerous services. Services

that's ok, because you know what's dangerous, but the unexperienced users just sees a not working system if we disable all services and remove all sbit's.

...

like telnet can be hacked or exploited very easy!

i can't remember a serious exploit for telnet in the past 4 years, but i remember some exploits for [Open-]SSH. if users use unencrypted traffic it's their fault. we also ship SSH and OpenSSH. we can't drop telnetd, because it's the standard program for logging in over network.

...

...
Hrhr... 'secure by default' nice buzzwords. AFAIK /usr/bin isn't audited and neither all the ports are. It's 99% secure as long as you just use the

Nobody says if you turn of all unnecessary services the system is secure, but it is MORE secure than standard and at least a pc all the time linked up to the inet is not as vulnerable as before.

right, but it's also more unusable.

...

...
SuSE 7.0 hast a YaST2 module, that allows the not-so-experienced User to modify /etc/inetd.conf in a easy way, to shut inetd off (even YaST1 ask for this) or to use a default /etc/inetd.conf. In future more security modules will be added to YaST2.

Thats good news!

*phew* nice to see, that I could make you happy. ;)

...

...
The experienced-power-ueber User uses vi or sed to edit the config-files and make their box secure.

thats true, but there are not only power users! The other way round would be better: experienced-ueber-drueber-power users can turn on all the services they need easily and fast!

we are not OpenBSD. (and that's good so) Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47

Johannes Geiger

12:09

Hi! Am Tue, Aug 22, 2000 at 10:40:32AM +0200 schrieb Thomas Biege:

...

we don't sell a hyper-secure Linux, we sell a nearly complete and useable Linux. we have to go the small path between security and useablity, and in my opinion we do that very well.

...

that's ok, because you know what's dangerous, but the unexperienced users just sees a not working system if we disable all services and remove all sbit's.

As Thomas' statement shows, the real problem is that the avarage user still is not aware of the security issues. SuSE wants to sell their distribution so they have to sell what their customers want and that is usability, not security. If the attitude of the customers will change one day (which might - after all - happen, as the last months have shown), a "more secure" tradeoff between security and usability is feasable, but probably not now. In my opinion this is very very sad but it is the facts. So do not blame SuSE, try to raise security awareness among the users! (As Thomas said: They cannot ship brain with SuSE.) But as an aside:

...

if users use unencrypted traffic it's their fault.

Yes, Thomas, but you have to admit that they simply do not know what they are doing. Did you ever try to explain cryptography to a secretary? If you would rename ssh to telnet, most users would not ever notice, I bet :-) !

...

...
...
Hrhr... 'secure by default' nice buzzwords.

Oh, and by the way, "secure by default" or better "failsafe defaults" is not a buzzword but one of those very important security prinicples which have been ignored for several decades :'-( Best regards Johannes Geiger ----------------------------------------------------------------- Dipl.-Inform. Johannes Geiger geiger@informatik.tu-muenchen.de Technische Universität München http://wwwspies.in.tum.de/~geiger Fakultät für Informatik Tel.: 089/289-25723 Fax: -22037 D-80290 München Raum 3544, Eingang XI (Ecke Luisen-/Theresienstraße), 3. Stock -----------------------------------------------------------------

Thomas Biege

11:08

New subject: [suse-security] Re: Secure By Default - PLEASE!

Salut,

...

have to sell what their customers want and that is usability, not security. If

we ship with security, but not as a default, it's a add-on.

...

...
if users use unencrypted traffic it's their fault.

Yes, Thomas, but you have to admit that they simply do not know what they are

we have a chapter about security in our handbook. if a user reads it, s/he will know telnet is bad.

...

doing. Did you ever try to explain cryptography to a secretary? If you would

only an idiot would do. ;)

...

rename ssh to telnet, most users would not ever notice, I bet :-) !

No! another port, another behavior, windows has telnet but not ssh by default.

...

...
...
...
Hrhr... 'secure by default' nice buzzwords.

Oh, and by the way, "secure by default" or better "failsafe defaults" is not a

failsafe is even more complicated... Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47

Martin Peikert

14:51

New subject: [suse-security] Re: Secure By Default - PLEASE!

Johannes Geiger wrote:

...

doing. Did you ever try to explain cryptography to a secretary? If you would

Thomas Biege wrote, quoting the above:

...

only an idiot would do. ;)

Hi Thomas, I cannot agree to that. If you really have understood how something works, you should be able to explain it to an _interested_ audience. Maybe they don't understand it the first time you expain it, but then they will ask you questions - and there are, in my opinion, only a few stupid questions but a lot of stupid answers like "Only an idiot would not understand what I say." You can call me idiot, I _did_ explain secretaries some crypto stuff. You only have to find the right words - that's the challenge - that they can understand you. Martin -- martin.peikert@innominate.de system engineer innominate AG clustering & security networking people tel: +49.30.308806-0 fax: -77 http://innominate.de

Michael Schmidt

23 Aug 23 Aug

11:22

New subject: [suse-security] Re: Secure By Default - PLEASE!

On 22 Aug 2000, Martin Peikert wrote:

...

Johannes Geiger wrote:

...
doing. Did you ever try to explain cryptography to a secretary? If you would

Thomas Biege wrote, quoting the above:

...
only an idiot would do. ;)

...

I cannot agree to that. If you really have understood how something works, you should be able to explain it to an _interested_ audience. Maybe they don't understand it the first time you expain it, but then they will ask you questions - and there are, in my opinion, only a few stupid questions but a lot of stupid answers like "Only an idiot would not understand what I say."

In principle I agree, but ...

...

You can call me idiot, I _did_ explain secretaries some crypto stuff. You only have to find the right words - that's the challenge - that they can understand you.

The real challenge is to find somebody who is interested... In their opinions its their boss who is responsible for security, and downtimes created by crashes or intrusions are paid cigarette breaks. -I know these are prejudices, but sometimes right. Michael Schmidt Icewolf

Martin Peikert

24 Aug 24 Aug

13:33

New subject: [suse-security] Re: Secure By Default - PLEASE!

Michael Schmidt wrote:

...

On 22 Aug 2000, Martin Peikert wrote:

...
You only have to find the right words - that's the challenge - that they can understand you.

The real challenge is to find somebody who is interested... In their opinions its their boss who is responsible for security, and

Maybe true. But security isn't top-down, everyone in a company is a part of it. That is what not only secretaries but also managers have to _understand_ and then there you can find an interested audience... A friend told me his theory why NT systems are configured as they are, really unsecure: Most managers have a Computer running 95/98 at home. They think: NT is Windows, too - why should I pay for a system specialist when I _can_ configure Windows? It cannot be true that that is much more complicated... So the first step to security is: Make them interested in security! All of them!

...

downtimes created by crashes or intrusions are paid cigarette breaks.

If a server crashes, another has to do that job, too. In case of an intrusion - well, it would be better to think about an intrusion and an emergency plan _before_ anything happens. Then the downtime will become scarce to smoke a cigarette... ;-)

...

-I know these are prejudices, but sometimes right.

Yes, but there has to be an education to security or we will never have anything like that. We will have weak passwords - if any at all, misconfigured systems & servers and so on... Bye Martin -- martin.peikert@innominate.de system engineer innominate AG clustering & security networking people tel: +49.30.308806-0 fax: -77 http://innominate.de

Alex W Twisleton-Wykeham-Fiennes

22 Aug 22 Aug

12:19

New subject: [suse-security] Re: Secure By Default - PLEASE!

...

As Thomas' statement shows, the real problem is that the avarage user still is not aware of the security issues. SuSE wants to sell their distribution so they have to sell what their customers want and that is usability, not security. If the attitude of the customers will change one day (which might - after all - happen, as the last months have shown), a "more secure" tradeoff between security and usability is feasable, but probably not now. In my opinion this is very very sad but it is the facts. So do not blame SuSE, try to raise security awareness among the users! (As Thomas said: They cannot ship brain with SuSE.)

i've been following this discussion and i agree with both sides of the argument. however, the question is what is the easiest way to educate the users and make them aware of the choices that they are choosing during the installation of the operating system. currently we have a situation where the user can select the 'style' of installation that they choose when they perform the installation (all, minimal, server etc etc), but it might help raise the user awareness of what is being installed if there was a _short_ readme linked into each of the installations that would detail what issues are connected with the installation and what would actually be installed by default. in this way the newbies could make a more 'educated' guess as to which installation they want and would be less surprised when somebody exploits a service that they where already running (without their knowledge). this would also help to introduce the newcomers to linux that they are actually running an OS that does have a network presence and which can be used (and abused) by other computers without your knowledge. most of this discussion boils down to education and the best point for education is at the install point (especially relevant after all the discussions concerning default passwords for SQL server on slashdot recently). just my 0.02 euros. Alex

Stefan Suurmeijer

12:45

New subject: [suse-security] Re: Secure By Default - PLEASE!

On Tue, 22 Aug 2000, Alex W Twisleton-Wykeham-Fiennes wrote:

...

i've been following this discussion and i agree with both sides of the argument. however, the question is what is the easiest way to educate the users and make them aware of the choices that they are choosing during the installation of the operating system.

Agreed!

...

currently we have a situation where the user can select the 'style' of installation that they choose when they perform the installation (all, minimal, server etc etc), but it might help raise the user awareness of what is being installed if there was a _short_ readme linked into each of the installations that would detail what issues are connected with the installation and what would actually be installed by default. in this way the newbies could make a more 'educated' guess as to which installation they want and would be less surprised when somebody exploits a service that they where already running (without their knowledge).

What about just 3 default styles of network installation? Open: all services (or almost all) enabled, standard: just the most used (even if that includes telnet etc) and safe: just the safe services (ssh et all). That would mean including 3 versions of inetd.conf and rc.config, each with a short description of the differences/potential problems. That seems possible without much work from SuSE, and would give those of us who are security-minded a breather from having to disable all services ourselves, while still catering to the user who doesn't know what a daemon is (of course it would be nicer still to be able to select each seperate service at install time via a simple Yes/No dialog with a short description). Other than that I'd have to agree with Thomas that it's easier (if annoying) for us to disable what we don't want (and let's face it, whatever default configuration SuSE ships, we are going to change it anyway) than it is for newbies to enable what they don't even know they need. Just add a very big warning to the install procedure that to have a safe system they should RTFM! ;-) Stefan

Richard

13:05

New subject: [suse-security] Re: Secure By Default - PLEASE!

Dear All On Tue, 22 Aug 2000, you wrote:

...

On Tue, 22 Aug 2000, Alex W Twisleton-Wykeham-Fiennes wrote:

...
i've been following this discussion and i agree with both sides of the argument. however, the question is what is the easiest way to educate the users and make them aware of the choices that they are choosing during the installation of the operating system.

Agreed!

I've been sending stuff to feedback@suse.de for a while now which said that I thought that a bit more sophistication under YaST might help. I think that some interaction with security aplications might help ? Thanks -- Richard Sheffield UK

juergen.braukmann＠ruhr-west.de

20:44

New subject: [suse-security] Re: Secure By Default - PLEASE!

Stefan Suurmeijer wrote:

...

On Tue, 22 Aug 2000, Alex W Twisleton-Wykeham-Fiennes wrote:

...
i've been following this discussion and i agree with both sides of the argument. however, the question is what is the easiest way to educate the users and make them aware of the choices that they are choosing during the installation of the operating system.

Agreed!

...
currently we have a situation where the user can select the 'style' of installation that they choose when they perform the installation (all, minimal, server etc etc), but it might help raise the user awareness of what is being installed if there was a _short_ readme linked into each of the installations that would detail what issues are connected with the installation and what would actually be installed by default. in this way the newbies could make a more 'educated' guess as to which installation they want and would be less surprised when somebody exploits a service that they where already running (without their knowledge).

What about just 3 default styles of network installation? Open: all services (or almost all) enabled, standard: just the most used (even if that includes telnet etc) and safe: just the safe services (ssh et all). That would mean including 3 versions of inetd.conf and rc.config, each with a short description of the differences/potential problems. That

good in theory but... Say, you select "secure inetd" and you select "Apache". secure inetd will close port 80. Apache needs port 80. Hmmm. Either Apache would auto select "less secure inetd.conf" or apache / httpd / THE HELP SYSTEM would not work. Lot's of fun for the newbe that sais "I want it secure, but why does help not work" The above is not the best example, I know, just: There will always be contradicting stuff in a system setup. It remains: brains are not delivered with the distro. ;-( But I also like some more description for these services, examples for what they are good. If they cannot deliver brains, they should make it easier for us, that havn't yet found their brains by giving better information. I hope yast2 will develope that way.

...

seems possible without much work from SuSE, and would give those of us who are security-minded a breather from having to disable all services ourselves, while still catering to the user who doesn't know what a daemon is (of course it would be nicer still to be able to select each seperate service at install time via a simple Yes/No dialog with a short description).

Other than that I'd have to agree with Thomas that it's easier (if annoying) for us to disable what we don't want (and let's face it, whatever default configuration SuSE ships, we are going to change it anyway) than it is for newbies to enable what they don't even know they need. Just add a very big warning to the install procedure that to have a safe system they should RTFM! ;-)

I think education for securety is needed. The truth is very sad, there is only one secure behaviour and that is paranoid. ;-( Juergen

...

Stefan

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

-- =========================================== __ _ Juergen Braukmann juergen.braukmann@gmx.de| -o)/ / (_)__ __ ____ __ Tel: 0201-743648 dk4jb@db0qs.#nrw.deu.eu | /\\ /__/ / _ \/ // /\ \/ / ===========================================_\_v __/_/_//_/\_,_/ /_/\_\

Michael Schmidt

12:21

New subject: [suse-security] Secure By Default - PLEASE!

Hi guys, On Tue, 22 Aug 2000, Thomas Biege wrote: ...

...

we don't sell a hyper-secure Linux, we sell a nearly complete and useable Linux. we have to go the small path between security and useablity, and in my opinion we do that very well.

...

...
Even at the university where I have installed some susis, I alwyas have to maually shut down all the irrelevant and dangerous services. Services

that's ok, because you know what's dangerous, but the unexperienced users just sees a not working system if we disable all services and remove all sbit's.

How about the users choosing at install-time, yast could (with a detailed info) ask for a secure-all-disabled or a insecure-all-working installation. By the way, why is /etc/perm.paranoid not addressable by yasts security prefs ?

...

...
...
Hrhr... 'secure by default' nice buzzwords. AFAIK /usr/bin isn't audited and neither all the ports are. It's 99% secure as long as you just use the

Nobody says if you turn of all unnecessary services the system is secure, but it is MORE secure than standard and at least a pc all the time linked up to the inet is not as vulnerable as before.

right, but it's also more unusable.

It seems to be hard enough to configure, take a look at the article in the actual c't (win2000<->SuSE linux). So if I have to read the man pages to config the server program, I can also uncomment the inetd.conf entry.

...

...
...
The experienced-power-ueber User uses vi or sed to edit the config-files and make their box secure.

thats true, but there are not only power users! The other way round would be better: experienced-ueber-drueber-power users can turn on all the services they need easily and fast!

we are not OpenBSD. (and that's good so)

Right. But a simple requestor in yast and some scripts exchanging default with secure configs should be sufficient to sattisfy the standard users wanting unlimited usability (nerds) and those wanting control. Michael Schmidt Icewolf PS: I see myself as a newby as a started with linux with SuSE 6.0 and I am no IT.

omicron＠symonds.net

26 Aug 26 Aug

03:52

New subject: [suse-security] Secure By Default - PLEASE!

hi as far as the yast thing is concerned, if i dont know linux well, and i'm a newbie, i'm not concerned as to what's there in inetd.conf . i feel the developers or the packagers must think that the people who is it are idiots ( not me !) and target them. if not attracting new people to linux is very difficult. why should people change anything is yast when they dont what it stands for ? sorry to bring M$ here, but that's what they do, and that's what general users like, may be not programmers like me. for instance, if you are using a linux box for home use, with DUN , what is the use of ftp, telnet, imap, pop3 ? the main point is why keep them enabled ? if u are not using for home use, and u are an administrator, then u *ought* to know how to enable them. if you are a _dumb_ one, then the least good thing that can happen is to send a mail to root ( as it is being doen for other things ) to inform the root that firewalls have closed down such and such ports , sucha dnnd such service is disabled, if you are worth ur name then enable it ! in both cases, it will be secure. but why such a big issue. why not put in a simple script at the end of phase II of installation ( i only know how 6.3 does) just before the root login ? i'm sure it'll be much appreciated and if it really happens, i'll be one of the first to do so. regards cheedu On Tue, 22 Aug 2000, Thomas Biege wrote:

...

Hi,

...
...
PLEASE PLEASE make a few simple changes to the defaults to help make SuSE the most secure Mainstream linux distro out there in.

I think a solid middle ground would be to ship something like bastille-linux (getting quite advanced especially with support from Mandrake), and really

If people use the tools we deliver with SuSE + their brains (note: we don't ship brains with SuSE), then they could get a very secure system within a short time of work.

...
strongly urge users to run it. If you want secure by default use OpenBSD, personally I find a lot of issues with OpenBSD (no POP/IMAP server, they have had several remote root holes in dhcpd client and ftp, but they claim these are not "default"...).

Hrhr... 'secure by default' nice buzzwords. AFAIK /usr/bin isn't audited and neither all the ports are. It's 99% secure as long as you just use the default install but then it's not a very productive system; third party software is as buggy as the stuff on FreeBSD or Linux or whatever.

I like, use and support OpenBSD, but it's not a modern unix. And will never be, because the man power is missing.

SuSE 7.0 hast a YaST2 module, that allows the not-so-experienced User to modify /etc/inetd.conf in a easy way, to shut inetd off (even YaST1 ask for this) or to use a default /etc/inetd.conf. In future more security modules will be added to YaST2.

The experienced-power-ueber User uses vi or sed to edit the config-files and make their box secure.

Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

-- ***** cogito cogito ergo cogito sum: i think that i think, therefore i think that i am. --Devils Dictionary --

bolo＠lupa.de

28 Aug 28 Aug

16:35

New subject: [suse-security] Secure By Default - PLEASE!

Jo, most of the people subscribed to this list are interested in hardening their systems in a way that it can be considered more or less safe to use for both you and your users (if any). You say that the "idiots" (read: stupid users) would turn away from linux if the distributors do not care for them by disabling virtually anything linux is worth using for. That's not the way it's supposed to be. The meaning of this security mailing list is to provide information about certain security issues and possible solutions/workarounds for them, not the attraction of as many linux newbies as possible. Ever thought why you chose linux for your OS of choice instead of the Microsoft range? It has to be linux, linux, linux, some don't know why they want linux, but they just want it because it's new, it's free and it's cool to do something against big players like Microsoft or IBM. Well, this sure is not my point of view. Disabling unused services on your linux box is a good thing to do; disabling otherwise helpful services just because you can not/don't want to secure them would be as clever as a person getting a driver's license but no car in order to avoid any accident... I hasten to add that I do not want to exclude new, inexperienced users from the general linux community; I just think that one should not install operating systems only because it's fancy and "kewl". The only way of properly using and securing your system is to learn the proper usage and to keep up with certain issues concerning updates, new features, and security. If you are "not concerned as to what's in there in inetd.conf" - well, that's your cup of tea, but don't come crying that your box has been hacked. The internet reality sometimes is hard to cope with, I know... Share what you know - learn what you don't. If you are not ready to do so, you may end up changing back to Windows frustratetly... And this also is NOT what we want...;) Boris on Aug-00 omicron@symonds.net wrote:

...

hi as far as the yast thing is concerned, if i dont know linux well, and i'm a newbie, i'm not concerned as to what's there in inetd.conf . i feel the developers or the packagers must think that the people who is it are idiots ( not me !) and target them. if not attracting new people to linux is very difficult. why should people change anything is yast when they dont what it stands for ? sorry to bring M$ here, but that's what they do, and that's what general users like, may be not programmers like me.

for instance, if you are using a linux box for home use, with DUN , what is the use of ftp, telnet, imap, pop3 ? the main point is why keep them enabled ? if u are not using for home use, and u are an administrator, then u *ought* to know how to enable them. if you are a _dumb_ one, then the least good thing that can happen is to send a mail to root ( as it is being doen for other things ) to inform the root that firewalls have closed down such and such ports , sucha dnnd such service is disabled, if you are worth ur name then enable it !

in both cases, it will be secure. but why such a big issue. why not put in a simple script at the end of phase II of installation ( i only know how 6.3 does) just before the root login ? i'm sure it'll be much appreciated and if it really happens, i'll be one of the first to do so.

regards cheedu

On Tue, 22 Aug 2000, Thomas Biege wrote:

...
Hi,

...
...
PLEASE PLEASE make a few simple changes to the defaults to help make SuSE the most secure Mainstream linux distro out there in.

I think a solid middle ground would be to ship something like bastille-linux (getting quite advanced especially with support from Mandrake), and really

If people use the tools we deliver with SuSE + their brains (note: we don't ship brains with SuSE), then they could get a very secure system within a short time of work. [...]

Ragnar Beer

22 Aug 22 Aug

11:44

New subject: [suse-security] Secure By Default - PLEASE!

I'm using SuSE Linux since 5.3 and was always annoyed by having to deselect bazillions of packages that I didn't need and switch off all kinds of services when I wanted a simple and secure webserver. That's why after a lot of thinking I finally changed to OpenBSD which I think is *the* choice for an OS secure out of the box, because it's number one goal is to be secure. It's easy to install and easy to maintain. Still SuSE is my first choice for workstations. Ragnar

...

How bout it SuSE? I have bought every version of SuSE since 5.0, I have Installed >30 SuSE servers for various clients and given away 200 copies of the SuSE 6.4 demo CD at a Govt Expo (in Australia) (Thanks to Michaela Geuthner [mailto:mg@suse.de] for the promo material he shiped me at short notice from Germany) I love SuSE, and thinks it's the best Distro available, yet, a disabled by default policy would IMHO be the best thing SuSE could ever do. As far as I'm concerned the only thing that should be enabled by default is sshd and _thats's_ even debatable. Face it, it's not going to make it any harder for your average desktop flunkie who want's to setup a kde box and browse the web. If they want to run a personal web server or ftp server then that _should_ know how to enable it from inetd.conf etc, or they should NOT be running the thing.

I think the harden SuSE script, and SuSE firewall is brilliant, but half of the things harden_suse does should be _default_ not options available in an optional package in the sec series....

PLEASE PLEASE make a few simple changes to the defaults to help make SuSE the most secure Mainstream linux distro out there in.

Peter Nixon Senior Security Consultant IT Audit & Consulting (ITAC) Pty Ltd http://www.itaudit.com.au mailto:petern@itaudit.com.au

--snip--

...
To: BUGTRAQ@SECURITYFOCUS.COM

Aleph One wrote:

...
CERT Advisory CA-2000-17 Input Validation Problem in rpc.statd

Original release date: August 18, 2000 Source: CERT/CC

A complete revision history is at the end of this file. .. RedHat

http://www.redhat.com/support/errata/RHSA-2000-043-03.html

It should be noted that Red Hat states: "Although there is no known exploit for the flaw in rpc.statd, Red Hat urges all users running rpc.statd to upgrade to the new nfs-utils package."

This is wrong.

Because of a message posted by "ron1n - " on the 5th of August to Bugtraq.

I quote: "Included below is an exploit for the recently exposed linux rpc.statd format string vulnerability[0]. I have tailored it towards current Redhat Linux 6.x installations. It can easily be incorporated into attacks against the other vulnerable Linux distributions."

I hope Red Hat updates this information. Although I really hope they'll just disable rpc.* services, most things in inetd, and other daemons *BY DEFAULT*. If a user can't figure out how to turn on a service, they probably shouldn't be running the service in the first place. This alone would stop most of the "remote root in default" problems that Red Hat (and other Linuxes) seem to face. OpenBSD gets this correct, how hard can it be for the various Linux distrubtions to insert some #s in inetd.conf, or have things chmod -x by default?

-- www.kuro5hin.org -- technology and culture, from the trenches.

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

8648

Age (days ago)

8654

Last active (days ago)

List overview

Download

20 comments

15 participants

participants (15)

Alex W Twisleton-Wykeham-Fiennes
bolo＠lupa.de
Johannes Geiger
juergen.braukmann＠ruhr-west.de
Kurt Seifried
Martin Peikert
Michael Schmidt
Nix
Norbert Preining
omicron＠symonds.net
Ragnar Beer
Richard
Stefan Suurmeijer
Steffen Dettmer
Thomas Biege