Quote:
Why not take responsibility for your server's security (instead of relying on code that is difficult to audit)
Ever heard of defense in depth?
Quote:
Restricting SSH access to hosts you've designated (whitelisting) completely eradicates a 0-day attack, because the packets will not even make it to sshd to exploit it. This is planning ahead.
That is assuming that Netfilter will NEVER have a vulnerability. It is just software. The chance that it will never have a vulnerability is impossible since it already has. Check
http://www.securityfocus.com/bid/17178. It is a local vulnerability, but if you are able to exploit Apache or PHP then you usually get local access to exploit a local vulnerability. SELinux would HELP stop it. It is just another layer of security.
Quote:
If you want to get really secure, take the approach some other customers have and VPN to your Linode using something like OpenVPN. Then, only allow SSH and other security-critical processes to talk to clients that are connected to your VPN.
Ok, so you recommend using a VPN to connect. There are still ports that have to be opened to permit access to the VPN. VPNs can be hacked too. Take a look at
http://www.ubuntu.com/usn/usn-612-3 Ok, ok. It isn't directly OpenVPN, but it still causes problems with OpenVPN.
Quote:
You seem to paint SELinux as a flip-the-switch solution that will automatically make all the security ills of server administration magically disappear, and that is most certainly not the case.
I know I didn't say that and I don't remember anybody else said that. DEFENSE IN DEPTH Anybody who has spent more than a week in the real world knows that you do what you can to make yourself more difficult to hack and therefor less of a target. That is why we have firewalls, intrusion detection systems, access control lists, passwords and file permissions. What is wrong with adding another layer of protection? Are you one of those people that writes their PIN number on their debit card with the thought that nobody will find it because think it will be in your pocket all the time?
Quote:
The thread you referenced, awstats.pl exploitation, is another case of this; had awstats.pl been password-protected or given a whitelisting setup (like SSH above), this attack would have never happened.
Never happened? What happens when your Apache instance has a vulnerability and the directory that is supposed to be password protect isn't? Think that has never happened? Check
http://articles.techrepublic.com.com/5100-10878_11-5422585.htmlQuote:
What it most certainly is not is a substitute for proper systems administration and security auditing.
This is the first smart thing I have read so far. I agree, it is not a substitute for proper system administration and audition. It is, however, an additional tool.
Quote:
You need to educate yourself and not rely upon someone else's code to keep you safe on the Internet.
How do you expect to be able to use ANY software program? If we were to follow your advice then we could never use a computer. I agree that we all need to educate ourselves, but that is part of the job (especially mine). You definitely can't advocate using built-in SSH security and Netfilter and then make a comment like that.
Quote:
If you can show me one case where SELinux would have been the only way to prevent an exploit I'll rethink this argument, but good luck.
Is a firewall the only way to prevent an exploit? No. Is using public key encryption? No. Then why put a double standard on using SELinux?
Quote:
Linode does not prevent you from running with SELinux enabled. You are preventing yourself by not compiling a kernel and using pv_grub. Please do not confuse is not the default with cannot use.
Ok, I'll give you that. They don't prevent me from doing it, but it does make it more difficult than simply (yes, simply) having it enabled in the Linode kernel.
Quote:
I have a number of VPS's under my administration and often what I do is setting up SSH properly rather than relaying on the default setup.
Good for you. Guess what? So do I. Not only do I do it often, I do it EVERY SINGLE TIME.
Quote:
I did my home work concerning SELinux and all I can say - its not for me.
Let's hear that again "It's not for me". That's right. It's not for YOU. How about letting people who actually know how to use to be able to use it without having to jump through the hurdles of using pv_grub with a different kernel.
Quote:
I prefer to use the industry standard software rather than something the USA government has got a back door to.
SELinux is actually fairly standard. If it wasn't then we probably wouldn't be here discussing this today.
You should also read about the benefits of open source. If there was a back door into SELinux, then you probably would have heard about it already. Being able to read the source is one of the main benefits of open source.
BTW, I have performed investigations on hacked servers that were hacked via a vulnerable PHP scripts. Most, if not all, of those compromised systems could have been saved if SELinux was enabled.
FAQ
Search
Members
Register
Login [ Anonymous ]
