Re: [cobalt-security] FTP Scans

[Michael Stauber <cobalt@xxxxxxxxxxxxxx>]

Hi Ed,

> Any alterations to the core
> system, hardware or software, and you void your warranty. It could not be
> any simplier than that. Now, I can not say if Sun would actually deny
> service, but they are within their rights to do so.

They are in their rights to do so based on US law, but warranty in Germany 
for instance is a bit different and the customer has more rights. But I don't 
want to go deeper into that issue as it is of little value.

However, I'd like to point one thing out:

The service "named" used to run as user "root", group "root" on the Cobalts, 
which is a severe security risk as many, many people have repeatedly pointed 
out of the last years. The solution was easy: Just one minor change in the 
startup script of service named and you were on the secure side. Now that 
would viod the warranty, mind you. ;o)

Just this week SUN/Cobalt came out with a patch which did just fix that and 
they changed exactly this line in the startup script.

Had this change been there back in March, then hundreds (!!) of servers 
worldwide would not have been hacked - mine included.

So you can bet money on the matter of fact that I since long decided for 
myself that the warranty is worth not the least bit of consideration when it 
comes to software enhancements or configuration changes. After all, I'n my 
line of business as Linux freelancer I'm usually paid to fix machine which 
SUN/Cobalt professional services could not fix, or which they broke in first 
place. ;o)

> Until we are confident with the system, it will remain in testing only. 

That's good for you and explains a lot. 

> While I can understand not wanting to handle problems created by the user, 
> I do feel that Sun could do a bit more on building a more secure 
> environment. In my opinion, it is like selling a car without wheels, and 
> voiding the warranty if you add them.

Amen to that, Ed. It is a good system they offer, but it doesn't help much 
that they sell it as an appliance for the point-and-click community. After 
all, it runs Linux and sooner or later any administrator will have to look 
under the hood and will have to tackle with the underlying OS.

> I don't believe I ever said I had no interest in using IPChains. I did say
> I was not at a point that I was comfortable with altering them. [...] I've
> seen more messages regarding problems due to user error than
> those due to being hacked.

Yeah, but most of those problems could have been avoided by proper RTFM. The 
manpages for the different programs and tools are also a good source of 
information. And a lot of problems stem from the fact that people don't make 
use of the wisdom which is already available. Just look at the quality of 
question on the Cobalt Support Forum which is available on the website. 
Sometimes I can only shake my head and wonder what's worse: The quality of 
the questions, or the quality of the answers from the SUN/Cobalt staff which 
looks after the forum. Why the forums sees the worst of it is easy to 
imagine: You need just a browser to get there, while a mailing-list like this 
requires some thinking on behalf of the people who want to post. ;o)

But back to the topic: If you ever want to give Ipchains a try, then just ask 
the people in this place for advice and options, which goes beyond what the 
manual says.

-- 

With best regards,

Michael Stauber