Linux Hardening

2007-10-21 Liran Cohen wrote:
Ajai Khattri wrote:
>Wed, 17 2007, Liran Cohen wrote:
what is the machine's location on your network (LAN\DMZ etc) what
is the machine role, you should ask yourself some questions before
approaching hardening, I would not put the same effort on a machine
which is located on my LAN as much as I would make sure that DMZ
machines are protected
>
>I believe even machines on internal networks should all run local
>firewalls at the very least. There's always some Windoze user using
>and clicking on an email attachment they shouldn't click
>on

And then what? The services you need to be accessible in your LAN will
still be accessible (and thus exploitable) even if you run local packet
filters, because you need them to be accessible.

If any of your computers become infected because of someone clicking on
an attachment, your security concept has already failed several times,
and you should ask yourself some serious questions, including (but not
limited to):

- Why didn't the spam/malware filter on your mailserver catch the
attachment?
- Why didn't the local virus scanner catch the attachment?
- If the attachment is an executable: why did your Software Restriction
Policies (and temp directory settings) allow it to be executed?
- Why was an unneeded service running on the remote host?
- If it was started by a user: why did your Software Restriction
Policies allow that?
- If the exploit was not a 0day: why was the system not up-to-date?

top of that: running a packet filter always means running additional
code that may contain additional (remotely exploitable) bugs. There
already has been a case (W32/Witty.worm) where systems became vulnerable
*because* they were running a local firewall.

I completely agree providing you have the time and dont have a couple
of dozens of Linux machines to maintain daily, in many cases you have
to make a sensible choice what would be worth more or in other words
asses where the risk is higher and invest most of your efforts there.

Reasonable risk assessments will most likely lead to the conclusion that
host-based packet filters in the LAN are not worth the effort.

Regards
Ansgar Wiechers
--
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
Coombs on Bugtraq