[Dshield] Jail and Harden DNS

Tony Earnshaw tonye at billy.demon.nl
Mon Mar 29 12:55:54 GMT 2004

søn, 28.03.2004 kl. 22.15 skrev Jon R. Kibler:

> There have been exploits reported against earlier versions of BIND, and 
> it is only a matter of time before someone breaks this version. The 
> reason for chroot-ing named is the same as for getting a flu shot -- it
> is preventative medicine; should someone break named, you are protected.
> > As a matter of curiosity, why don't you mention the 101 other much more
> > susceptible daemons, starting with Apache/PHP and ending with sshd? Not
> > to speak of Openssl's ASN.1 and buffer overflow stuff, for which
> > static-compiled binaries would seem to pollute much of the exposed *nix
> > stuff on the Internet, at the moment?
> IMHO, every daemon that runs as root is a potential security risk. Even
> if there are no known exploits against a daemon, it does not mean that
> it is secure and you should relax your vigilance.
> Any daemon that doesn't need to run as root shouldn't. Any daemon that
> accesses only a small set of data (such as named) should run chroot-ed.
> Unfortunately, many daemons must run as root and cannot be chroot-ed
> and still run properly.

Ah. But my BIND 9.2.3 daemon runs as user nobody. 

> Any daemon that is not essential to a system's operation should not be
> run (this applies to ALL O/Ses!). Any daemon that transfers data via
> clear text (ftp, telnet, imap, pop, r* cmds, etc.) should not be run
> and a secure replacement should be used instead.

Absolutely. I'm not all that happy about having sshd run as root. Al of
my other daemons exposed to the Internet run unprivileged, inetd/xinetd
only runs fam.

> Furthermore, any user that needs to access only a small set of 
> applications should also run as chroot-ed user. (This probably means
> that most users should run chroot-ed!)

That would be the ideal.

> I mentioned named because it seems to universally be the most 
> insecurely configured daemon in default configurations. Our experience
> also shows that it is most probed and misused daemon -- exceeding
> probes against Apache by usually about 10 to 1. Also, there are many
> DOS exploits against named, so it helps to harden it.

Again I agree, which is a: why I keep my installs up to date and B. why
it runs as nobody. However, I agree about others' installs. Few admins
act on security info in SANS newsbytes, CERT or for Linux people vuln.

> (Don't believe that most BIND installations are insecure? Look at the
> example following the signature paragraph.)

Oh, I've seen it myself. As I said, most admins don't think much about
security of any sort.

> Yes, there are are lot of daemons with known big holes in them, and there
> is little you can do to protect them except to keep them patched. I picked
> named because it can be easily protected but few know how. The daemons
> with known security holes get a lot of after-the-fact publicity, and
> most people keep them patched. Also, many other daemons, such as 
> Apache, have default configurations that run them as non-root users, so
> most are run as non-root users. By default, named is not!


> Bottom line: I wrote the original posting to make people aware there is
> a lot you can do to protect yourself against named DOS attacks and to
> protect your system WHEN the next named exploit is found. 
> As Ben Franklin said, "An ounce or prevention is worth a pound of cure."

But exhorting them to subscribe to the above security bulletins and take
them seriously would be the best thing. To help them help themselves
would be preferable. I wonder how many *n?x admins took any notice of
your posting. Security is an attitude of mind and few take it seriously.



mail: billy - at - billy.demon.nl

More information about the list mailing list