[buug] Linux Security Site

Rick Moen rick at linuxmafia.com
Mon Feb 14 12:25:19 PST 2000


Quoting Zeke Krahlin (ezekielk at iname.com):

> Just found this gem of a site:
> 
> 	Linux Security Home Page
> 	http://www.cslug.net/~jtmurphy/

On-the-fly impressions:

Murphy's statements on the "Mission" page _do_ seem to indicate that he
has a clue:  He's not one of the "everyone runs Red Hat" moron crowd,
and he doesn't waste time tracking down extra bugs for a known-buggy
version.  He's skeptical of "exploits" posted without surrounding
explanation.

I like it already.

The "Other Security Links" page:  Decent, but vastly underdeveloped.

"Programs to keep your system safe" page:  SSH, check.  (Good!)
Tripwire, hmm:  He apparently isn't aware that Tripwire is obsolete,
and has gone proprietary.  I'll have to write him, and tell him about
AIDE.  See: http://linuxmafia.com/pub/linux/security/tripwire-why-not.txt

"crack"/"John the Ripper", good.  "tcp wrappers", good.  Hmm:  Overall,
this page makes a good start, but is incomplete.  He needs to cover
COPS, GNUPG, SATAN, proper configuration of anonymous ftp access, and
various SSL implementations.  The latter will become even more important 
when RSA Data Security's USA patent on the RSA algorithm (on which SSL is
based) expires on Sept. 20, 2000.

The SSH section of that page is likewise very incomplete.  He doesn't
even mention OpenSSH, and cites only two of the many client
implementations.  See:
http://linuxmafia.com/pub/linux/security/ssh-clients

"Information to keep your system safe" page:  Outstanding!  This is
a rare jewel, and will benefit many.

Overall site rating:  B+ -- and I'm probably being a bit stingy.  Added
to my security bookmarks.  

> Just ran Linux (Mandrake 6.1 w/KDE 1.1) on the 'net (as normal user,
> not root or super), and tested security: all my ports are open!

Practically all Linux distributions install by default with miserable
security.  Since this isn't likely to change for a while, it behooves
sysadmins (which includes anyone who installs Linux on a box with
network access) to compensate for this by tightening down their systems,
post-installation.  A _lot_, actually.

> I found this out by using the following online resource:
> 
> 	Shields UP! -- Internet Connection Security Analysis
> 	http://grc.com/x/ne.dll?bh0bkyd2
> 
> Anyone who wants to test online security from *any OS, should include
> this site, IMO.
 
I don't think using Gibson's snake-oil solution is any substitute for
studying your system locally.  Use nmap or a similar port-scanner on
your local system, for one thing.  Otherwise, you're relying on Gibson &
co. to know what they're doing, and I wouldn't have much confidence in
that.





More information about the buug mailing list