[Courses] [Security] Locked-down boxes (was: safe use of nmap)

[Raven, corporate courtesan]

Heya --

Quoth Terri Oda (Mon, Mar 18, 2002 at 01:21:42PM -0500):
> I was quite pleased to discover that since I went to change settings, I now 
> have nothing listening externally, and only what I expect listening 
> internally, according to nmap.  (At least this is true when I'm not doing 
> anything)  Of course, this means my computer is pretty much useless as a 
> server, but since it's *not* a server and rarely acts as one, I'm happy 
> with this as my initial state after booting and starting up X. :)
 
	Good for you!  If more people set up their workstations and
servers to offer only the services they were using (which is often none,
or just ssh, for a workstation) the Net would be a whole lot more
secure.  It's an awful feeling to realize that a box of yours was
compromised because of an old, vulnerable version of a service you never
even used.  I can't tell you how many people I know that were hit with
the Lion worm and didn't even know they were vulnerable.  As automated
exploitation of Linux vulnerabilities increases, we're going to have to
start being stricter sysadmins in order to keep our systems secure.

	Also, there's a big difference between a box using a port and a
box listening on a port.  Client applications do the former, and
networked server applications do the latter.  There's much less risk to
you from using client applications, since the ports they use are
short-lived, more random, and variable.  It takes a skilled black hat to
intercept and hijack a TCP session.  Even with the existence of
automated hijack tools like hunt, the requirements of local access to
some part of the path of the TCP session and the rarity of that level of
TCP savvy will usually save you.

Cheers,
Raven
 
"Sed, sed, awk.  Like duck, duck, goose.  Sync, sync, halt.  It's the
 order of nature."
  -- me, after too long a day at work