[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] FTP Scans
- Subject: Re: [cobalt-security] FTP Scans
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Sun, 18 Nov 2001 23:21:23 +0100
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Ed,
> Any alterations to the core
> system, hardware or software, and you void your warranty. It could not be
> any simplier than that. Now, I can not say if Sun would actually deny
> service, but they are within their rights to do so.
They are in their rights to do so based on US law, but warranty in Germany
for instance is a bit different and the customer has more rights. But I don't
want to go deeper into that issue as it is of little value.
However, I'd like to point one thing out:
The service "named" used to run as user "root", group "root" on the Cobalts,
which is a severe security risk as many, many people have repeatedly pointed
out of the last years. The solution was easy: Just one minor change in the
startup script of service named and you were on the secure side. Now that
would viod the warranty, mind you. ;o)
Just this week SUN/Cobalt came out with a patch which did just fix that and
they changed exactly this line in the startup script.
Had this change been there back in March, then hundreds (!!) of servers
worldwide would not have been hacked - mine included.
So you can bet money on the matter of fact that I since long decided for
myself that the warranty is worth not the least bit of consideration when it
comes to software enhancements or configuration changes. After all, I'n my
line of business as Linux freelancer I'm usually paid to fix machine which
SUN/Cobalt professional services could not fix, or which they broke in first
place. ;o)
> Until we are confident with the system, it will remain in testing only.
That's good for you and explains a lot.
> While I can understand not wanting to handle problems created by the user,
> I do feel that Sun could do a bit more on building a more secure
> environment. In my opinion, it is like selling a car without wheels, and
> voiding the warranty if you add them.
Amen to that, Ed. It is a good system they offer, but it doesn't help much
that they sell it as an appliance for the point-and-click community. After
all, it runs Linux and sooner or later any administrator will have to look
under the hood and will have to tackle with the underlying OS.
> I don't believe I ever said I had no interest in using IPChains. I did say
> I was not at a point that I was comfortable with altering them. [...] I've
> seen more messages regarding problems due to user error than
> those due to being hacked.
Yeah, but most of those problems could have been avoided by proper RTFM. The
manpages for the different programs and tools are also a good source of
information. And a lot of problems stem from the fact that people don't make
use of the wisdom which is already available. Just look at the quality of
question on the Cobalt Support Forum which is available on the website.
Sometimes I can only shake my head and wonder what's worse: The quality of
the questions, or the quality of the answers from the SUN/Cobalt staff which
looks after the forum. Why the forums sees the worst of it is easy to
imagine: You need just a browser to get there, while a mailing-list like this
requires some thinking on behalf of the people who want to post. ;o)
But back to the topic: If you ever want to give Ipchains a try, then just ask
the people in this place for advice and options, which goes beyond what the
manual says.
--
With best regards,
Michael Stauber