Mailinglist Archive: opensuse-security (138 mails)

< Previous Next >
Re: [suse-security] Re: Openssh + security
  • From: Bruno Cochofel <bruno.cochofel@xxxxxxxxx>
  • Date: Wed, 14 Dec 2005 18:21:55 +0000
  • Message-id: <101541880512141021o3425c479r7fea84bd7ac8eeb5@xxxxxxxxxxxxxx>
Ok, let's say I'll put a firewall PC on my network...

I have to create a masquerade rule to let the internet access my intranet
web server right?
(By the way, trying to find out how to do that under yast but don't get the
diference between the option Source network and requested IP, so if someone
help me on this I appreciate... There's several options to create a rule so
please illucidate me)

Doesn't this rule opens a hole in my intranet security if, let's say, my web
server get's compromised?

On 12/14/05, Crispin Cowan <crispin@xxxxxxxxxx> wrote:
>
> miguel gmail wrote:
> >> Please check if you are running X windows and if there is a screensaver
> >> active! Don't run X on servers!!
> >>
> > Why not? This is, what is the problem to run a X server on a server
> > machine? I understand that it may take lots of resources, so I wont
> > run KDE to say. But some packages do require (as far as I know) a X
> > server (Oracle does, if I remember correctly).
> >
> Well, try not to run X on servers, because it is a memory and CPU hog,
> and you generally want your servers to have lots of memory and CPU
> available to serve clients.
>
> But really REALLY don't run X on security-exposed servers, because X is
> very, very difficult to secure.
>
> > Is there anything wrong to run windowmaker? (i mean, security issues,
> > not just performance issues).
> >
> It doesn't really matter which desktop or window manager you use. X and
> its raft of applications are fundamentally vulnerable, because a HUGE
> volume of code is running as root, and a lot of it connects to the
> network unless you actively configurate it not to. Another large problem
> with X on a security sensitive server is if you actually run desktop
> applications (mail clients, IM clients, P2P clients, OpenOffice, etc.)
> and they get compromised by some vulnerability in the application, then
> your server is compromised.
>
> All of this is based on the premise that your server is far more
> important/valuable than just one desktop, because only one person
> depends on the desktop, while *everyone* in the organization depends on
> the server. But if we are just talking about the machines in your
> basement :) then you likely have one client and one server and they may
> be the same machine, in which case the "importance" argument is moot.
>
> However, the security benefit of a hardened gateway machine (a firewall)
> is still strong, and it doesn't have to be a big machine. Either go buy
> a cheap, old, crappy i486 or something with 32MB of RAM and deploy it as
> a firewall, or go buy one of those $100 firewall appliances from Linksys
> or whatever. But get yourself a firewall, it is much better than hoping
> that Gaim has finally fixed all the vulnerabilities :)
>
> Crispin
> --
> Crispin Cowan, Ph.D.
> http://crispincowan.com/~crispin/
> Director of Software Engineering, Novell http://novell.com
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>
< Previous Next >