[Dshield] Jail and Harden DNS
areust at comcast.net
Sun Mar 28 23:42:24 GMT 2004
Jon and Tonni et al
Over the years we all have been invited (professional courtesy) or via
contractual obligation to go examine Servers/Services on machines outside
"our direct" control. Security is as much Policy as physical settings on a
specific Server/Service. Depending on how "we" learned Internetworking and
Security results in "favorite" tools and physical settings. In some cases
Security was not learned until you had "burned fingers" that needed
healing. Or you had a trusted friend that helped to Educate you. In most
cases we can/should help to Educate (Thank You Jon) and/or require Policy
to dictate a specific Level of Security.
How you combat "those excuses" (lack of knowledge) is the key. I prefer
Honey to Vinegar.
In most cases I hope, Education is very high on Everyone's priority list.
You can write the report that tells the CEO/CIO/CTO that his System
Administrator needs to do this NOW! The System Administrator is now, no
longer your friend. What have you gained or lost?
Being very generalistic. I have found that during the examination that if
you can get the Sys Admin to start correcting (by demonstration/example)
and a good interactive dialog then life is a lot easier. Additionally, if I
can get the Sys Admin to start pushing Uphill and the CEO/CIO/CTO being
informed that "WE" did "find" a few things and "YOUR Crew" is right on top
of it. With these items already being corrected and these follow on
recommendations. The Sys Admin states that "they" should have the other
items correct shortly. Then the "Outbrief" becomes pleasant for everyone.
You have provided "Service and Value."
It then becomes Education and Win/Win for everyone. It opens new levels of
communications at every levels, and the CEO/CIO/CTO have a warm fuzzy that
"Their" Sys Admin is the correct person for the job.
If the Sys Admin is a Moron and rejects everything (poor education, lack of
concern/desire, communications skills etc..) then by all means Tactfully
"Drop the Bomb!"
Yes we all have "Favorite" configurations for various reasons.
At 05:53 PM 3/28/2004 +0200, you wrote:
>lør, 27.03.2004 kl. 22.24 skrev Jon R. Kibler:
> > Probably the two excuses I have heard most for not jailing and
> hardening named were:
> > 1) I didn't know anything about it... the O/S install instructions
> didn't say anything about doing it.
> > 2) I tried to do chroot named, but I could never get it to work.
>I don't run ISC's 9.2.3 named daemon (I continue to pronounce it
>"named") chroot. I do run an iptables filter "REJECT" in front of it on
>this machine (RedHat RHEL3 with several home-brewed mods), though - here
>it's a caching, non-authoritative name server.
>I wouldn't see any reason to run it chrooted, any more than I see any
>reason to run Postfix 2.0.19 chrooted. My main reason is, that there
>have never been any reported exploits with either. And many have tried
>As a matter of curiosity, why don't you mention the 101 other much more
>susceptible daemons, starting with Apache/PHP and ending with sshd? Not
>to speak of Openssl's ASN.1 and buffer overflow stuff, for which
>static-compiled binaries would seem to pollute much of the exposed *nix
>stuff on the Internet, at the moment?
>mail: billy - at - billy.demon.nl
More information about the list