Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 50

Thread: UNIX - Linux - BSD Security Tips

  1. #21
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    In response to what IKnowNot siad...

    Yes, the MIRROR target is a VERY VERY VERY DANGEROUS target to be playing with, unless you know exactly what you're doing. It could get you into loads of trouble, as it could be used to make you box essentially a completely transparent bounce zombie. It could also be used to reverse proxy attacks into your own network.

    As for running Snort on the firewall box, it dates back to the days when Snort relied on the network stack of the machine it was running on to reconstruct data streams. It is run on the firewall box to ensure that Snort was definitely seeing exactly what the firewall would, thereby making a layer 4 evasion attack impossible, insofar as manipulating the TCP data is concerned. I was also playing with the flex response tools a bit, it was far easier to do this when the Snort box was directly in the communication path, although I agree, it is no longer necessary to run Snort on the firewall to achieve this, and the flex response can also be run even from a Snort box with no valid address.

    There is actually nothing externally facing from the firewall box. It logs to a mysql database on the server machine, and that machine is used to run the BASE software that allows me to analyze the Snort logs.

    But yes, it would be better off to run Snort somewhere other than the firewall. But this way, I can be sure that it will reconstruct data in the same manner as the firewall.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  2. #22
    Senior Member
    Join Date
    Feb 2002
    Posts
    855
    www.linuxsecurity.com might be a good place to check out for Linux security info.
    For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
    (Romans 6:23, WEB)

  3. #23
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Do to how well this thread has gone, I've decided it best to make this a sticky. So congrats to everyone on a good thread. Keep it alive!

  4. #24
    "OpenBSD does something any OS could do. They ship with everything turned off by default. SUSE could do the same thing...

    Why not go over WHY you like OpenBSD? I'd personally like to know the strong points of your useage of it, and I'm sure others would as well, and being that you're one of the very few users of it here that I know of, it would be helpful for people who are thinking about using it."
    --gore


    Anyway's...I know this was directed at someone else, but I feel compelled to respond...

    I've been a big fan of OpenBSD for several years now (Since around version 2.3 or so I beleive) and it really does surprise me that more people aren't using it. **Because**

    1).. Constant / Intense code audits -- Hands down, there is no argument among OSS's that OpenBSD has the best track record of pro-active security...The code is constantly being reviewed for bugs and vulnerabilities. This is something that has always impressed me about the developers, most distributions (gentoo, ubuntoo, red hat **cough cough **) spend way too much time adding new features and other misc bells and whistles without adequate review, when they should be focusing on strengthening what is already there. This in and of itself is a security risk, and is one of the reasons why you sometimes see such strange, inconsistant behavior on those platforms.

    2).. PF -- OpenBSD's packet filter is in my opinion the best open source solution in existance.
    It's a little tough to get your firewall rules right when first starting, but when you get the hang of it, you have more filtering options available then iptables. Also, the entire filtering mechanism is setup to run under restricted priviliges and this is a very good thing. The ability to tag layer 2 packets (When doing a bridge and using brconfig) and filter them according to complex rules in pf.conf is also very nice...

    3).. Integrated Cryptography -- With support for some of the longest key spaces publically used, lots of choices for algorithms (Also this part of OpenBSD is reviewed hard-core, all in the open)...

    4).. No blobs!-- Don't you just hate those closed source drivers...If they can't get the docs on it or reverse engineer it, it's not included...

    Of course there's other 'little' things to numberous to mention (buffer overflow safeguards included by default **cough linux**cough**GRE/PAX, a little memory mapping randomization makes certain kinds of hostile code trickier to write and execute)...There really is a lot more, these are just the highlights...im just getting tired now Maybe later...
    We are a generation without a middle. We have no great war or depression. Our war is a spiritual one, our depression is our lives. We were all raised to believe that we\'ll all be millionaires and rockstars - But we won\'t.
    And we are slowly learning this fact...And we are VERY pissed off about it!

  5. #25
    Senior Member
    Join Date
    Feb 2002
    Posts
    855
    and it really does surprise me that more people aren't using it.
    I don't know too much about the BSDs, but I think you hit on one reason OpenBSD might not be more popular here:

    4).. No blobs!-- Don't you just hate those closed source drivers...If they can't get the docs on it or reverse engineer it, it's not included...
    I wonder how many people wouldn't use Linux if their new ATI or nVdia card couldn't be used. Also, is it possible that people perceive the BSDs as less "user friendly" than Linux or especially Windows?
    For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
    (Romans 6:23, WEB)

  6. #26
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Originally posted here by Neptune0z
    Anyway's...I know this was directed at someone else, but I feel compelled to respond...

    I've been a big fan of OpenBSD for several years now (Since around version 2.3 or so I beleive) and it really does surprise me that more people aren't using it. **Because**

    1).. Constant / Intense code audits -- Hands down, there is no argument among OSS's that OpenBSD has the best track record of pro-active security...The code is constantly being reviewed for bugs and vulnerabilities. This is something that has always impressed me about the developers, most distributions (gentoo, ubuntoo, red hat **cough cough **) spend way too much time adding new features and other misc bells and whistles without adequate review, when they should be focusing on strengthening what is already there. This in and of itself is a security risk, and is one of the reasons why you sometimes see such strange, inconsistant behavior on those platforms.


    I mentioned already SUSE does this. SUSE has a whole team just for security and they do in fact go over SUSE, the core system and the rest of it, line by line, and this is one reason why they don't have as many security fixes issued as say, Mandriva.

    SUSE also has a huge difference in that for over two years, by default, they have been using... Well, RXstack for example. SUSE also uses a lot of the security ideas in the default install. The Kernel for SUSE isn't the same as the Kernel in RedHat, or Slackware.

    2).. PF -- OpenBSD's packet filter is in my opinion the best open source solution in existance.
    It's a little tough to get your firewall rules right when first starting, but when you get the hang of it, you have more filtering options available then iptables. Also, the entire filtering mechanism is setup to run under restricted priviliges and this is a very good thing. The ability to tag layer 2 packets (When doing a bridge and using brconfig) and filter them according to complex rules in pf.conf is also very nice...
    With what you said above, more options would equal less security. KISS.

    3).. Integrated Cryptography -- With support for some of the longest key spaces publically used, lots of choices for algorithms (Also this part of OpenBSD is reviewed hard-core, all in the open)...
    SUSE comes out of the box with up to 4096 bit. DES, Blowfish and others are also right on the install CDs.

    4).. No blobs!-- Don't you just hate those closed source drivers...If they can't get the docs on it or reverse engineer it, it's not included...
    Yea.... I'd MUCH rather have no games work because the project leader strokes his ego to much.... Hmm, let me see, Drivers written by the peopel who made the card, or drivers written by people that think it should work a certain way...

    Lol, this is why OpenBSD has less share on the desktop than FreeBSD. Nvidia took the time to write drivers for FreeBSD and Linux that are as quality as those on Windows. What's it matter if you have access to the source? I'm not a programmer, why would I care even a little?

    Of course there's other 'little' things to numberous to mention (buffer overflow safeguards included by default **cough linux**cough**GRE/PAX, a little memory mapping randomization makes certain kinds of hostile code trickier to write and execute)...There really is a lot more, these are just the highlights...im just getting tired now Maybe later...
    Uhhh buffer overflow safegaurds ARE available in Linux. SUSE uses them.

  7. #27
    Sorry bro...I didn't mean to insult SUSE...lol...I was saying things as I saw em thats all...I'd post a reply to your comments but im afraid too, lol...you nit picked every one of my reasons...

    You hit it right on the nose with the 'blobs' though...Because of some of the developers unbending attitudes, some very important hardware is lacking...But most everything you would need on a server is there, and that's really all OpenBSD should be used for anyway...Primary desktop support is lacking...
    We are a generation without a middle. We have no great war or depression. Our war is a spiritual one, our depression is our lives. We were all raised to believe that we\'ll all be millionaires and rockstars - But we won\'t.
    And we are slowly learning this fact...And we are VERY pissed off about it!

  8. #28
    Senior Member
    Join Date
    Feb 2002
    Posts
    855
    Lol, this is why OpenBSD has less share on the desktop than FreeBSD. Nvidia took the time to write drivers for FreeBSD and Linux that are as quality as those on Windows. What's it matter if you have access to the source? I'm not a programmer, why would I care even a little?
    Well, one good thing is that if Nvidia decides to stop supporting the card, the community still can.
    For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
    (Romans 6:23, WEB)

  9. #29
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    I wasn't nit picking, I was just making sure the discussion kept going.

    And yea Nvidia has stopped supporting some cards with their newest drivers, however, yuo can still download the old ones. for example, two of my Nvidia cards no longer work with the new driver. I just download the older one and it works fine.

  10. #30
    "With what you said above, more options would equal less security. KISS"
    -- gore

    Ya...I see where your going with that one, but what about usability and customization?
    Give a child a tablesaw for christmas, and he's sure to lose a few fingers, but give it to a man and he'll get some **** done...Customization broadens a products usability...
    We are a generation without a middle. We have no great war or depression. Our war is a spiritual one, our depression is our lives. We were all raised to believe that we\'ll all be millionaires and rockstars - But we won\'t.
    And we are slowly learning this fact...And we are VERY pissed off about it!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •