Mailinglist Archive: opensuse-security (138 mails)

< Previous Next >
Re: [suse-security] Re: Openssh + security
  • From: Crispin Cowan <crispin@xxxxxxxxxx>
  • Date: Wed, 14 Dec 2005 03:31:33 -0800
  • Message-id: <43A00295.1020102@xxxxxxxxxx>
miguel gmail wrote:
>> Please check if you are running X windows and if there is a screensaver
>> active! Don't run X on servers!!
>>
> Why not? This is, what is the problem to run a X server on a server
> machine? I understand that it may take lots of resources, so I wont
> run KDE to say. But some packages do require (as far as I know) a X
> server (Oracle does, if I remember correctly).
>
Well, try not to run X on servers, because it is a memory and CPU hog,
and you generally want your servers to have lots of memory and CPU
available to serve clients.

But really REALLY don't run X on security-exposed servers, because X is
very, very difficult to secure.

> Is there anything wrong to run windowmaker? (i mean, security issues,
> not just performance issues).
>
It doesn't really matter which desktop or window manager you use. X and
its raft of applications are fundamentally vulnerable, because a HUGE
volume of code is running as root, and a lot of it connects to the
network unless you actively configurate it not to. Another large problem
with X on a security sensitive server is if you actually run desktop
applications (mail clients, IM clients, P2P clients, OpenOffice, etc.)
and they get compromised by some vulnerability in the application, then
your server is compromised.

All of this is based on the premise that your server is far more
important/valuable than just one desktop, because only one person
depends on the desktop, while *everyone* in the organization depends on
the server. But if we are just talking about the machines in your
basement :) then you likely have one client and one server and they may
be the same machine, in which case the "importance" argument is moot.

However, the security benefit of a hardened gateway machine (a firewall)
is still strong, and it doesn't have to be a big machine. Either go buy
a cheap, old, crappy i486 or something with 32MB of RAM and deploy it as
a firewall, or go buy one of those $100 firewall appliances from Linksys
or whatever. But get yourself a firewall, it is much better than hoping
that Gaim has finally fixed all the vulnerabilities :)

Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com


< Previous Next >