Re: make gnome listen on localhost:*



This is a really enjoyable discussion, unfortunately I don't know enough about the
subject to follow it completely.  Can someone point me to a web page that I can
learn more about closing up all the holes?  I am running a machine with the
standard RedHat 6.2 installation, which judging from this discussion is probably
wide open since I haven't done anything to shore it up.

Derek Simkowiak wrote:

> -> > > As Gnome becomes more popular on desktops with permanent network
> -> > > connections, you can be sure that this will become a popular breakin
> -> > > route.
> -> >
> -> > So unplug it from the network - there are plenty of other more interesting
> -> > network services to choose from if you want to break in.
>
>         Maybe it's just me, but this statement seems incredibly dangerous
> and ignorant.  I read that as "Why should we secure Orbit, there are
> plenty of other things people can use to break in."  (?!)
>
> -> > Or install a firewall, or set up TCP Wrappers properly.
> ->
> -> The less technically minded will not know how to do this, or understand
> -> why they need to.
>
>         I agree about the less technically minded folks.  I think the
> Gnome target audience includes people from the I-Mac target audience.
> "Firewall? TCP?  Wrappers?  Install something?  What does that mean?"
>
> -> to be serving up anything which I have not deliberately and explicitly
> -> turned on.
>
>         Now if this small bit of common sense would only make it to the
> Linux distro management people...
>
>         Every network service should be turned OFF by default.  If you
> want to serve telnet, web, etc. then you should have to explicitly turn
> that crap on.  Installing Apache (et. al) by default is cool; just don't
> turn it on by default!
>
>         At least then you'll KNOW that you're opening a door to your
> system (and won't be left wondering why you were made vulnerable to a
> security exploit for a service you never even used).
>
> -> installation.  It (and any other services) should be turned on only by
> -> people who understand what they are doing, and undertake to keep it up to
> -> date and secure.
>
>         Oops... didn't realize that had already been said :)
>
> -> couple of years ago.  This has lead to some colleges banning Linux
> -> machines from being connected to the network.
>
>         Speaking as an administrator: As long as the popular Linux distros
> ship with network services enabled by default, banning those distros from
> your campus network is not a bad idea.  The last thing an admin wants is a
> bunch of inexperienced newbies offering network services that they don't
> understand, can't configure, and won't maintain.
>
>         Of course I love Linux, but the current state of "default"
> installations really bugs me.
>
>         In regards to Orbit, I see it as Yet Another Unwarranted Service
> that will be turned on.
>
>         Don't you think that, if I wanted to offer a CORBA object to
> other machines, I would know that I needed to explicitly turn on CORBA
> services?  And if I have to turn it on, I'll know to upgrade it when a
> security patch comes out.
>
> -> that does not mean that it should be listening by default.  The OpenSSH
> -> code went through the rigorous OpenBSD security procedures, but a fairly
>
>         The SSH history is such a great example of why ports should be
> closed, unless they are explicitly needed.
>
>         I read an email on one of the lists that said there was an Orbit
> configuration option (was it compile-time or run-time?  Don't remember)
> that would use a local Unix socket (PF_UNIX) instead of a TCP/IP stream
> (PF_INET).
>
>         Assuming that's true: for god's sake, make the default Unix
> sockets!  How many Gnome users (experienced or otherwise) really need to
> export their CORBA objects to other computers?
>
>         CORBA may make a great substitute for COM, but since Orbit is
> being used in Gnome for desktop applications (and not distributed
> computing problems) keeps those ports closed!
>
> </RANT>
>
> --Derek
>
> P.S.> I'm glad to hear about the audit...
>
> _______________________________________________
> gnome-list mailing list
> gnome-list@gnome.org
> http://mail.gnome.org/mailman/listinfo/gnome-list





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]