Are firewalls necessary?
I have a machine, which serves several purposes. It is my main development platform, and it is also my main webserver. I've gone through the system and shut down all network services I'm not using -- for example squid came down, because I am not using proxy service at all, and ftpd came down because I don't want to provide ftp services. Rlogin, fingerd, telnetd, hylafax, etc, are also gone. No trusted hosts are defined for rlogin and friends to use anyway; the other boxes on my network are not considered "safe". I'm using an apache server which I've been through extensive configuration on -- removing most of the modules because I wasn't using them. CGI is still there, but it's not activated on any host except the "default" host (which is only accessible from 127.0.0.1) and there are only two CGI scripts; These are the english-language "search" scripts that hunt through the documentation for keywords and topics, used by the SuSE help system, which I've kept onboard -- both of which I've audited for security. There were similar scripts to search in other languages, but since I'm not using other languages, they are gone now. Finally, the 'su' binary is moved to sbin, and not available to any user except root. I keep copies of my websites offline, on floppy disks. Ditto my inetd.conf, httpd.conf, and a few other configuration files. and, finally, my source code -- so if the machine ever gets subverted, I can restore them easily. Now, here is my question: Do I get material additional security from my firewall, or does over-the-top paranoia on the other aspects of the config obviate the need for it? Bear
Hi, Firstly ensure that you have loaded all the neccessary security patches for the daemons/proggies that you are running. This will close any possible exploits that are out there. Secondly, a firewall is normally only used when a company's internal network needs to be protected from an external untrusted network (like the www). SuSE have implemented something called a Personal Firewall which is very good for those that are highly paranoid / or really want that extra level of security / or want to impress there friends. However, if you have loaded the patches, and disabled all the services you don't really want to use, then in my honest opinion, I don't think you need to use the firewall. In the end the decision is yours, I run Personal Firewall on my laptop, specifically because I plug my laptop into many customer's networks for extended perioeds of time and I don't want anyone to mess around with it. I hope this helps Q On Thu 27 Sep 01 03:50, Ray Dillinger wrote:
I have a machine, which serves several purposes. It is my main development platform, and it is also my main webserver.
I've gone through the system and shut down all network services I'm not using -- for example squid came down, because I am not using proxy service at all, and ftpd came down because I don't want to provide ftp services. Rlogin, fingerd, telnetd, hylafax, etc, are also gone. No trusted hosts are defined for rlogin and friends to use anyway; the other boxes on my network are not considered "safe".
I'm using an apache server which I've been through extensive configuration on -- removing most of the modules because I wasn't using them. CGI is still there, but it's not activated on any host except the "default" host (which is only accessible from 127.0.0.1) and there are only two CGI scripts; These are the english-language "search" scripts that hunt through the documentation for keywords and topics, used by the SuSE help system, which I've kept onboard -- both of which I've audited for security. There were similar scripts to search in other languages, but since I'm not using other languages, they are gone now.
Finally, the 'su' binary is moved to sbin, and not available to any user except root.
I keep copies of my websites offline, on floppy disks. Ditto my inetd.conf, httpd.conf, and a few other configuration files. and, finally, my source code -- so if the machine ever gets subverted, I can restore them easily.
Now, here is my question: Do I get material additional security from my firewall, or does over-the-top paranoia on the other aspects of the config obviate the need for it?
Bear
Hi Bear, On 2001.09.27 02:50:21 +0100 Ray Dillinger wrote:
<SNIP>
Finally, the 'su' binary is moved to sbin, and not available to any user except root.
Why leave 'su' there at all? Root is the one user who doesn't really need it, especially from the console. <SNIP>
Now, here is my question: Do I get material additional security from my firewall, or does over-the-top paranoia on the other aspects of the config obviate the need for it?
IMHO, 'security through layers' is a good idea - let us say, for example, that some remote exploit is found in one of the services you do run. Let us also assume that a bad guy manages to find and use that hole to install a rootkit / some other compromise BEFORE you manage to apply the patch :-( You then have no protection from the bad guy - his rootkit may be listening on a port which you probably would have firewalled with a strict firewall setup. Remember : it's not paranoia if *they* are really after you, and the bad guys are after us all (or our boxes, at least) Just 2 cents. Maf.
Bear
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "It is easier to do a job right than to explain why you didn't." - Martin Van Buren ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well. Yes, yes they are. One quick reason: Let's say you have a ... webserver. It starts to try and make outgoing connections to port 80. Hmm, maybe you got hacked by a worm (hey, it's only a matter of time before someone uses a 0-day for apache to do something nasty). Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
Hi, let me get this right: You think by installing a firewall, the system is somewhat secured to rootkits, because they may listen on "to be firewalled" ports? If somebody compromises your system and installs a rootkit, it's almost easy for him to fiddle holes in your firewall - because he uses a ROOTkit. To secure a server, best way is: Setup the server for boot only from CDR. Place the file system with all static files on this CDR and use the rw medium (harddisk, NFS) only if necessary, e.g. for content etc. Even if somebody hacks your services, he can't replace binaries etc. I know, such a system is harder to manage, but isn't that the price we have to pay always for a secure system? Ralf
Hi Bear,
On 2001.09.27 02:50:21 +0100 Ray Dillinger wrote:
<SNIP>
Finally, the 'su' binary is moved to sbin, and not available to any user except root.
Why leave 'su' there at all? Root is the one user who doesn't really need it, especially from the console.
<SNIP>
Now, here is my question: Do I get material additional security from my firewall, or does over-the-top paranoia on the other aspects of the config obviate the need for it?
IMHO, 'security through layers' is a good idea - let us say, for example, that some remote exploit is found in one of the services you do run. Let us also assume that a bad guy manages to find and use that hole to install a rootkit / some other compromise BEFORE you manage to apply the patch :-(
You then have no protection from the bad guy - his rootkit may be listening on a port which you probably would have firewalled with a strict firewall setup.
Remember : it's not paranoia if *they* are really after you, and the bad guys are after us all (or our boxes, at least)
Just 2 cents. Maf.
Bear
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"It is easier to do a job right than to explain why you didn't."
- Martin Van Buren
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
* * Ralf 'coko' Koch * mailto:info@formel4.de * --- Windows-Error: Mouse not found - A mouse driver hasn't been installed. Please click the left mouse button to continue.
Hi,
let me get this right: You think by installing a firewall, the system is somewhat secured to rootkits, because they may listen on "to be firewalled" ports? If somebody compromises your system and installs a rootkit, it's almost easy for him to fiddle holes in your firewall - because he uses a ROOTkit.
The majority of rootkits/etc are automated, ala subseven. In other words it will work 98% of the time. Security is never absolute. It's about reducing risk to acceptable levels. It's like making /tmp a seperate partition with noexec, you can still exec programs in /tmp but no hacking scripts I have seen have the capability of doing so.
Ralf
Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
At 09:59 AM 9/27/2001 +0100, you wrote:
IMHO, 'security through layers' is a good idea - let us say, for example, that some remote exploit is found in one of the services you do run. Let us also assume that a bad guy manages to find and use that hole to install a rootkit / some other compromise BEFORE you manage to apply the patch :-(
You then have no protection from the bad guy - his rootkit may be listening on a port which you probably would have firewalled with a strict firewall setup.
My take on the above is that if a cracker gets in far enough to install binaries, he can: 1. probably mess with your firewall rules 2. probably shut your firewall off 3. If none of the above, possibly trojan something like your web server or sshd that still has an open port in the firewall rules. What do you think am I right, or am I missing something important? ---------------------------------------------------- Jonathan Wilson System Administrator Cedar Creek Software http://www.cedarcreeksoftware.com Central Texas IT http://www.centraltexasit.com
Yup, On 27-Sep-01 JW wrote:
At 09:59 AM 9/27/2001 +0100, you wrote:
IMHO, 'security through layers' is a good idea - let us say, for example, that some remote exploit is found in one of the services you do run. Let us also assume that a bad guy manages to find and use that hole to install a rootkit / some other compromise BEFORE you manage to apply the patch :-(
You then have no protection from the bad guy - his rootkit may be listening on a port which you probably would have firewalled with a strict firewall setup.
My take on the above is that if a cracker gets in far enough to install binaries, he can: 1. probably mess with your firewall rules 2. probably shut your firewall off 3. If none of the above, possibly trojan something like your web server or sshd that still has an open port in the firewall rules.
What do you think am I right, or am I missing something important?
This is where (real time-) intrusion detection should enter the game. The first bastion, the firewall-skript, either based on packet filters or stateful inspection, has been brought down or pierced. The next important barriers may consist of: 1. minimal trust-relationship between the firewall and the internal net 2. file integrity checks 3. very basic installation of the firewall, with a monolithic kernel w/ patches (e. g. Openwall), without any dev tools like gcc and gdb 4. security of the hosts in a dmz (if there is one) or the internal net Here we count on the fail-safe period of some kind of security installation. Imagine a Safe for storing backup media like tapes, CDs, etc. These safes should be fire-proof, and some of them are, but only for a fixed period, for 30 mins or one hour at temperatures of 800 centigrees. The same goes for firewalls and security installations in general, they are never unbreakable or 100% safe, but may keep even a skilled attacker busy for a couple of minutes/hours to activate adaequate countermeasures against the intruder, provided all the other security systems apart from the firewall skript are properly implemented and the admins react accordingly.
Jonathan Wilson System Administrator
Cedar Creek Software http://www.cedarcreeksoftware.com Central Texas IT http://www.centraltexasit.com
Boris Lorenz <bolo@lupa.de> ---
Hi, On 27-Sep-01 Ray Dillinger wrote:
I have a machine, which serves several purposes. It is my main development platform, and it is also my main webserver.
Is this a public web server?
I've gone through the system and shut down all network services I'm not using -- for example squid came down, because I am not using proxy service at all, and ftpd came down because I don't want to provide ftp services. Rlogin, fingerd, telnetd, hylafax, etc, are also gone. No trusted hosts are defined for rlogin and friends to use anyway; the other boxes on my network are not considered "safe".
I'm using an apache server which I've been through extensive configuration on -- removing most of the modules because I wasn't using them. CGI is still there, but it's not activated on any host except the "default" host (which is only accessible from 127.0.0.1) and there are only two CGI scripts; These are the english-language "search" scripts that hunt through the documentation for keywords and topics, used by the SuSE help system, which I've kept onboard -- both of which I've audited for security. There were similar scripts to search in other languages, but since I'm not using other languages, they are gone now.
Finally, the 'su' binary is moved to sbin, and not available to any user except root.
Uhm... That one seems to be a "zip'ped unzip" ;)
I keep copies of my websites offline, on floppy disks. Ditto my inetd.conf, httpd.conf, and a few other configuration files. and, finally, my source code -- so if the machine ever gets subverted, I can restore them easily.
Now, here is my question: Do I get material additional security from my firewall, or does over-the-top paranoia on the other aspects of the config obviate the need for it?
You did the Right Thing by switching off all these unused services. Unfortunately you didn't state wether this machine is the "outpost" of a LAN connected to the internet or an internal web server with some developement tools on it, or just your client PC connected via ISDN/cable/modem. If it is a publicly accessible server I would definitely firewall it, no matter how many backups I'd have to reconstruct the system. There are many ways to "own" (crack) an improperly secured web server, not only brute-force attacks which lead to a system crash, but also more sinister, silent creep-ins of more skilled individuals who could use your server as a leap point to start attacks against other systems by cracking your server, installing high-port file transfer demons (ftp, ssh/sftp, rcp, whatever), uploading some funny stuff and compiling it using your pre-installed developement tools. Without firewalling, you'd have no real protection against these kinds of attacks. If you have a public web server - go and firewall it, for God's sake. If it's a client PC at work/at home you could use the already-mentioned SuSE personal firewall, which is easy to configure and understand. Of course there is no need for hyperventilated paranoia, but a good sense of security and the acceptance of the fact that even the smallest home system can be the target (and thus often the source for further attacks) of malicous system crackers seems to be appropriate.
Bear
Boris Lorenz <bolo@lupa.de> ---
Hi, In what category would you put a tool like portsentry from the abacus project of psionic? According to my knowledge it is not a real firewall but it blocks all unused ports and if someone tries accessing a closed port, the attacker will be blocked immediatly. Does anyone has ever used this tool and if yes, does a portsentry-secured system have enough security for a webserver in the rough world of the internet? Regards reto ----- Original Message ----- From: Boris Lorenz <bolo@lupa.de> To: <suse-security@suse.com> Sent: Thursday, September 27, 2001 11:34 AM Subject: RE: [suse-security] Are firewalls necessary?
Hi,
On 27-Sep-01 Ray Dillinger wrote:
I have a machine, which serves several purposes. It is my main development platform, and it is also my main webserver.
Is this a public web server?
I've gone through the system and shut down all network services I'm not using -- for example squid came down, because I am not using proxy service at all, and ftpd came down because I don't want to provide ftp services. Rlogin, fingerd, telnetd, hylafax, etc, are also gone. No trusted hosts are defined for rlogin and friends to use anyway; the other boxes on my network are not considered "safe".
I'm using an apache server which I've been through extensive configuration on -- removing most of the modules because I wasn't using them. CGI is still there, but it's not activated on any host except the "default" host (which is only accessible from 127.0.0.1) and there are only two CGI scripts; These are the english-language "search" scripts that hunt through the documentation for keywords and topics, used by the SuSE help system, which I've kept onboard -- both of which I've audited for security. There were similar scripts to search in other languages, but since I'm not using other languages, they are gone now.
Finally, the 'su' binary is moved to sbin, and not available to any user except root.
Uhm... That one seems to be a "zip'ped unzip" ;)
I keep copies of my websites offline, on floppy disks. Ditto my inetd.conf, httpd.conf, and a few other configuration files. and, finally, my source code -- so if the machine ever gets subverted, I can restore them easily.
Now, here is my question: Do I get material additional security from my firewall, or does over-the-top paranoia on the other aspects of the config obviate the need for it?
You did the Right Thing by switching off all these unused services. Unfortunately you didn't state wether this machine is the "outpost" of a LAN connected to the internet or an internal web server with some developement tools on it, or just your client PC connected via ISDN/cable/modem. If it is a publicly accessible server I would definitely firewall it, no matter how many backups I'd have to reconstruct the system. There are many ways to "own" (crack) an improperly secured web server, not only brute-force attacks which lead to a system crash, but also more sinister, silent creep-ins of more skilled individuals who could use your server as a leap point to start attacks against other systems by cracking your server, installing high-port file transfer demons (ftp, ssh/sftp, rcp, whatever), uploading some funny stuff and compiling it using your pre-installed developement tools. Without firewalling, you'd have no real protection against these kinds of attacks.
If you have a public web server - go and firewall it, for God's sake. If it's a client PC at work/at home you could use the already-mentioned SuSE personal firewall, which is easy to configure and understand.
Of course there is no need for hyperventilated paranoia, but a good sense of security and the acceptance of the fact that even the smallest home system can be the target (and thus often the source for further attacks) of malicous system crackers seems to be appropriate.
Bear
Boris Lorenz <bolo@lupa.de> ---
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Yup, On 27-Sep-01 Reto Inversini wrote:
Hi,
In what category would you put a tool like portsentry from the abacus project of psionic? According to my knowledge it is not a real firewall but it blocks all unused ports and if someone tries accessing a closed port, the attacker will be blocked immediatly. Does anyone has ever used this tool and if yes, does a portsentry-secured system have enough security for a webserver in the rough world of the internet?
portsentry is a portscan detector with an active component. It is able to quickly place an, say, ipchains DENY-rule or hosts.deny entry in your firewalling rules to immediately block access from and to an attacker's IP in case of a portscan/probe. I still use portsentry (in a scaled-down configuration) on a few of our hosts, with the blocking-feature enabled. However, there are some issues: - If you don't carefully administer portsentry's ignore-hosts file, you open your network/host to denial-of-service attacks. - portsentry's scan detection capabilities are limited; by carefully poking around on a portsentry-secured host an attacker could get the information he/she wants without triggering portsentry. - standalone, portsentry is definitely no firewalling solution, it's just an interesting add-on to a packet filter/stateful firewall. - some scanners (like nmap) may show an extended list of "filtered" ports if they hit a portsentry installation, thus informing the attacker about the presence of the tool. - portsentry's "feature" to send back messages to the attacker like "Your connection has been terminated, shove off!" (in non-advanced mode) may infuriate the attacker and provoke more sophisticated attacks. If you want to use portsentry, give it time to show its stuff, for about one or two months or so, without the route-dropping feature. It then just informs you about portscans/probes. However, the portscan detection capabilities of snort are now (as of version 1.8 and up) much better than portsentry's, and together with tools like guardian you could achieve the same log-and-drop functionality. Snort also offers useable intrusion detection, in a much more complete way than portsentry.
Regards reto ----- Original Message ----- From: Boris Lorenz <bolo@lupa.de> To: <suse-security@suse.com> Sent: Thursday, September 27, 2001 11:34 AM Subject: RE: [suse-security] Are firewalls necessary?
Hi,
On 27-Sep-01 Ray Dillinger wrote:
I have a machine, which serves several purposes. It is my main development platform, and it is also my main webserver.
Is this a public web server?
I've gone through the system and shut down all network services I'm not using -- for example squid came down, because I am not using proxy service at all, and ftpd came down because I don't want to provide ftp services. Rlogin, fingerd, telnetd, hylafax, etc, are also gone. No trusted hosts are defined for rlogin and friends to use anyway; the other boxes on my network are not considered "safe". [...]
Boris Lorenz <bolo@lupa.de> ---
On Thu, 27 Sep 2001, Boris Lorenz wrote:
Hi,
On 27-Sep-01 Ray Dillinger wrote:
I have a machine, which serves several purposes. It is my main development platform, and it is also my main webserver.
Is this a public web server?
Remember, no trusted machines defined. It regards the whole world as public, and it has its own IP address. Yes.
Finally, the 'su' binary is moved to sbin, and not available to any user except root.
Uhm... That one seems to be a "zip'ped unzip" ;)
I know, but I was worried about the possibility of subvertible- but-unknown-to-me shell-scripts using it.
You did the Right Thing by switching off all these unused services. Unfortunately you didn't state wether this machine is the "outpost" of a LAN connected to the internet or an internal web server with some developement tools
My network does not distinguish internal from external. The DSL bridge is connected directly to an ethernet switch, the ethernet switch is connected directly to all of the machines on my network. Each machine is a separate security configuration issue. Each machine regards its ethernet port as a connection to the whole wide world, and protects itself just as vigorously from its sisters as from strangers. I consider it mistaken to have lax security on a machine because it's "internal" -- that sets up a situation where one subverted machine destroys the security of the whole network. That may be tolerable if you're responsible for a hundred machines and you can't possibly keep idiots off of them, but when you have just six machines and nobody who isn't you ever has the console, it's just lazy. This one box I'm worried about in particular because of the presence of gcc, etc. And firewall config on it is really irritating because of the particular nature of the software I'm developing -- it tends to have fights with the firewall because it has to connect to other machines on pseudo-randomly determined ports.
on it, or just your client PC connected via ISDN/cable/modem. If it is a publicly accessible server I would definitely firewall it, no matter how many backups I'd have to reconstruct the system. There are many ways to "own" (crack) an improperly secured web server,
Agreed. I guess I want to know about properly securing a webserver and where I can read about properly securing webservers. I have done all I know to do to secure it, but what might I have missed? Bear
Yohei, On 27-Sep-01 Ray Dillinger wrote:
On Thu, 27 Sep 2001, Boris Lorenz wrote:
Hi,
On 27-Sep-01 Ray Dillinger wrote:
I have a machine, which serves several purposes. It is my main development platform, and it is also my main webserver.
[...]
I consider it mistaken to have lax security on a machine because it's "internal" -- that sets up a situation where one subverted machine destroys the security of the whole network. That may be tolerable if you're responsible for a hundred machines and you can't possibly keep idiots off of them, but when you have just six machines and nobody who isn't you ever has the console, it's just lazy.
Quite right. Personally I think a little paranoia here and there does a world of good to any system, even if it's "just" a small lil' client in a small lil' net. However, if we're talking about a privately used home PC with only a modem to connect to the internet, things like SuSE personal firewall should suffice. It would be kinda overblown to do full security audit for a home PC, although a good practise.
This one box I'm worried about in particular because of the presence of gcc, etc. And firewall config on it is really irritating because of the particular nature of the software I'm developing -- it tends to have fights with the firewall because it has to connect to other machines on pseudo-randomly determined ports.
Hm, I see.
on it, or just your client PC connected via ISDN/cable/modem. If it is a publicly accessible server I would definitely firewall it, no matter how many backups I'd have to reconstruct the system. There are many ways to "own" (crack) an improperly secured web server,
Agreed. I guess I want to know about properly securing a webserver and where I can read about properly securing webservers. I have done all I know to do to secure it, but what might I have missed?
SuSE's Marc Heuse has put up some documents on how to set up a secure web server (in German): http://www.suse.de/de/linux/docu/webserver/ For the protection of Apache (I guess you use this one, right?), take a look at: http://httpd.apache.org/docs/misc/security_tips.html Openwall offers good security patches for your kernel: http://www.openwall.com/linux/ ...and of course the good old security-HOWTO, and sites like www.securityfocus.com, www.securityportal.com, cve.mitre.org and others. I also recommend the book "Practical Unix and Internet Security" (O'Reilly), a very useable and readable introduction to Unix/Linux security.
Bear
Happy reading, Boris Lorenz <bolo@lupa.de> ---
* Ray Dillinger wrote on Wed, Sep 26, 2001 at 18:50 -0700:
I have a machine, which serves several purposes. It is my main development platform, and it is also my main webserver.
Hope you have good daily backups of the cvs repository :)
I've gone through the system and shut down all network services I'm not using
1st step succeeded, fine.
I'm using an apache server which I've been through extensive configuration on -- removing most of the modules because I wasn't using them.
Well, there might be hidden buffer overflows inside or other risks. Do you have clients from outside connecting that server? Then I would recommend to use some ISP server as copy, and configure apache to accept really nobody from outside.
Finally, the 'su' binary is moved to sbin, and not available to any user except root.
Try "/sbin/su" as user, should work if you haven't changed the permissions. Fix it via "chmod 0500 /sbin/su".
I keep copies of my websites offline, on floppy disks.
You trust floppy disks?! Hope you have heaps of them...
Ditto my inetd.conf, httpd.conf, and a few other configuration files. and, finally, my source code -- so if the machine ever gets subverted, I can restore them easily.
If you are really paraniod, imagine what would happend when an attacker integrates an backdoor in a very stable module. You wouldn't notice it, since the module source wasn't modifed by for for ages. Well, after a time, all your backups contain that backdoor...
Now, here is my question: Do I get material additional security from my firewall, or does over-the-top paranoia on the other aspects of the config obviate the need for it?
Well, it's a kind of over the top security. If the tcp wrapper have a bug that can be used by an attacker to connect even if not allowed, or apache has some bug i.e. in the ip deny code or whatver, who knows, an attacker could use it to get in. Well, but if you have a strict firewall, an attacker couldn't even sent a single packet to that service which is more secure of course. And if somebody from outside hasn't anything to send to you, then you can block all that "non-existent" traffic :) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (9)
-
Boris Lorenz -
JW -
Kurt Seifried -
maf king -
Quinton Delpeche -
Ralf Koch -
Ray Dillinger -
Reto Inversini -
Steffen Dettmer