Mailinglist Archive: opensuse-security (138 mails)

< Previous Next >
Re: [suse-security] Re: Openssh + security
  • From: Bruno Cochofel <bruno.cochofel@xxxxxxxxx>
  • Date: Wed, 14 Dec 2005 11:46:24 +0000
  • Message-id: <101541880512140346n4e219ebeu9a8c14e058aa3350@xxxxxxxxxxxxxx>
Well I use SuSEFirewall2 but my ADSL Router has one also and it's active,
letting only the web port, ssh port and aMule port open and also noip...

On 12/14/05, Crispin Cowan <crispin@xxxxxxxxxx> wrote:
>
> miguel gmail wrote:
> >> Please check if you are running X windows and if there is a screensaver
> >> active! Don't run X on servers!!
> >>
> > Why not? This is, what is the problem to run a X server on a server
> > machine? I understand that it may take lots of resources, so I wont
> > run KDE to say. But some packages do require (as far as I know) a X
> > server (Oracle does, if I remember correctly).
> >
> Well, try not to run X on servers, because it is a memory and CPU hog,
> and you generally want your servers to have lots of memory and CPU
> available to serve clients.
>
> But really REALLY don't run X on security-exposed servers, because X is
> very, very difficult to secure.
>
> > Is there anything wrong to run windowmaker? (i mean, security issues,
> > not just performance issues).
> >
> It doesn't really matter which desktop or window manager you use. X and
> its raft of applications are fundamentally vulnerable, because a HUGE
> volume of code is running as root, and a lot of it connects to the
> network unless you actively configurate it not to. Another large problem
> with X on a security sensitive server is if you actually run desktop
> applications (mail clients, IM clients, P2P clients, OpenOffice, etc.)
> and they get compromised by some vulnerability in the application, then
> your server is compromised.
>
> All of this is based on the premise that your server is far more
> important/valuable than just one desktop, because only one person
> depends on the desktop, while *everyone* in the organization depends on
> the server. But if we are just talking about the machines in your
> basement :) then you likely have one client and one server and they may
> be the same machine, in which case the "importance" argument is moot.
>
> However, the security benefit of a hardened gateway machine (a firewall)
> is still strong, and it doesn't have to be a big machine. Either go buy
> a cheap, old, crappy i486 or something with 32MB of RAM and deploy it as
> a firewall, or go buy one of those $100 firewall appliances from Linksys
> or whatever. But get yourself a firewall, it is much better than hoping
> that Gaim has finally fixed all the vulnerabilities :)
>
> Crispin
> --
> Crispin Cowan, Ph.D.
> http://crispincowan.com/~crispin/
> Director of Software Engineering, Novell http://novell.com
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>
< Previous Next >