[Dshield] Jail and Harden DNS

Al Reust areust at comcast.net
Sun Mar 28 23:42:24 GMT 2004


Jon and Tonni et al

Over the years we all have been invited (professional courtesy) or via 
contractual obligation to go examine Servers/Services on machines outside 
"our direct" control. Security is as much Policy as physical settings on a 
specific Server/Service. Depending on how "we" learned Internetworking and 
Security results in "favorite" tools and physical settings. In some cases 
Security was not learned until you had "burned fingers" that needed 
healing. Or you had a trusted friend that helped to Educate you.  In most 
cases we can/should help to Educate (Thank You Jon) and/or require Policy 
to dictate a specific Level of Security.

How you combat "those excuses" (lack of knowledge) is the key. I prefer 
Honey to Vinegar.

In most cases I hope, Education is very high on Everyone's priority list. 
You can write the report that tells the CEO/CIO/CTO that his System 
Administrator needs to do this NOW! The System Administrator is now, no 
longer your friend. What have you gained or lost?

Being very generalistic. I have found that during the examination that if 
you can get the Sys Admin to start correcting (by demonstration/example) 
and a good interactive dialog then life is a lot easier. Additionally, if I 
can get the Sys Admin to start pushing Uphill and the CEO/CIO/CTO being 
informed that "WE" did "find" a few things and "YOUR Crew" is right on top 
of it. With these items already being corrected and these follow on 
recommendations. The Sys Admin states that "they" should have the other 
items correct shortly. Then the "Outbrief" becomes pleasant for everyone. 
You have provided "Service and Value."

It then becomes Education and Win/Win for everyone. It opens new levels of 
communications at every levels, and the CEO/CIO/CTO have a warm fuzzy that 
"Their" Sys Admin is the correct person for the job.

Conversely

If the Sys Admin is a Moron and rejects everything (poor education, lack of 
concern/desire, communications skills etc..) then by all means Tactfully 
"Drop the Bomb!"

Yes we all have "Favorite" configurations for various reasons.


At 05:53 PM 3/28/2004 +0200, you wrote:
>lør, 27.03.2004 kl. 22.24 skrev Jon R. Kibler:
>[...]
>
> > Probably the two excuses I have heard most for not jailing and 
> hardening named were:
> >    1) I didn't know anything about it... the O/S install instructions 
> didn't say anything about doing it.
> >    2) I tried to do chroot named, but I could never get it to work.
>
>I don't run ISC's 9.2.3 named daemon (I continue to pronounce it
>"named") chroot. I do run an iptables filter "REJECT" in front of it on
>this machine (RedHat RHEL3 with several home-brewed mods), though - here
>it's a caching, non-authoritative name server.
>
>I wouldn't see any reason to run it chrooted, any more than I see any
>reason to run Postfix 2.0.19 chrooted. My main reason is, that there
>have never been any reported exploits with either. And many have tried
>;)
>
>As a matter of curiosity, why don't you mention the 101 other much more
>susceptible daemons, starting with Apache/PHP and ending with sshd? Not
>to speak of Openssl's ASN.1 and buffer overflow stuff, for which
>static-compiled binaries would seem to pollute much of the exposed *nix
>stuff on the Internet, at the moment?
>
>--Tonni
>
>--
>
>mail: billy - at - billy.demon.nl
>http://www.billy.demon.nl


R/

Al




More information about the list mailing list