Miscellaneous > The Lounge
Spying
badkarma:
hmm ... 2.9p ... /me thinks it's upgrade time :D
voidmain:
Karma, it's a good idea to get on the CERT mailing list where you will get notified of any new vulnerabilities as soon as they are known so you can upgrade the parts that become vulnerable. I find that running "stock" packages from a distribution (any distribution) is generally a bad thing. Any packages that are exposed to the network (open sockets) should be upgraded to the latest versions which in itself will make you less prone to a hack down the road. Hackers usually look for exploits in a packages contained in a stock distribution that listen on network ports. Because a lot of people have the "Microsoft Mentality" of just installing the distro and leaving at that, there is a great more number of machines that can be hacked when an exploit is found. If you upgrade your's becomes "not like the others" and less prone to a hack. But if you continually upgrade your network listening services you will be even less prone to an attack. The first thing that should be done (and you have already done it) is limit the number of network listening services to a minimal, second would be to restrict those exposed services to a limited IP range, third have those packages up to date.
I have a dedicated machine acting as my firewall so I can be less strick about the machines behind my firewall. But if I want to forward a couple of ports from an inside machine to the firewall, I still have to apply the rules I mentioned above to that inside machine.
badkarma:
Yeah ... I know I should really install slackware (or better yet, linuxfromscratch) and keep a limited selection of updated packages (because the amount of packages that ships with SuSE is kind of overkill) though there are a few problems I have with this:
1. still not quite enough knowledge to really feel comfortable when installing slack/LfS on my main workstation (but I got VMWare and my second pc for that)
2. it takes time, which is a rather limited commodity in my inventory (with all my projects at work and a personal pet project I started a short while ago)
Ow, I just remembered that I also (sometimes) have a postgresql server running, though not on the default port (5432 is kinda very obvious, even though a portscanner doesn't care about that ) and it's the latest (7.2) version which is only 2 weeks old orso, plus I only allow 2 connections to the db, and those 2 are myself 99% of the time
I've never actually took the time to take a in depth look at security, somewhat because of lack of time, somewhat because of lack of interest and mostly because of the fact that the last virus I ever had was on my (parents actually) 8086, though I never used a virus scanner under windows. This is changing a bit now since I started working for my present employer (and started using linux) though, and I'm developing an interest for networking and network security (so when I get bored with programming I can do something else, I'm after all a self taught man )
[ouch ... that layout hurted :D ]
[ February 19, 2002: Message edited by: BadKarma ]
voidmain:
If you are like me (also self taught) then you probably end up teaching the instructor when you *do* take a formal class? For me I find classes to be a waste of time. Classes have to teach to the dumbest person in the class. I don't recall ever learning something in a computer class that I didn't already know.
Speaking of PostgreSQL, I assume you already tightened up pg_hba.conf restricting access to limited IP addresses/users/databases. You should follow similar rules with that as you do with your firewall. Only grant access to those that need it. And make sure you have passwords set!
badkarma:
You mean like my (minimum) of 14 characters pseudorandom, which aren't in any dictionary in the world (afaik) passwords? :D
And I use a passphrase for SSH (hah, hope you like my 50+ character passphrase silly cracker)
Didn't tighten my pgsql access yet, thanks for mentioning it, will have a look at it now
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version