Forum OpenACS Q&A: Response to Help! no SSH Telnet Access

Posted by S. Y. on

Just a few comments on topics that others have touched here.

  1. A firewall for a standalone web server might not be a great benefit. As Jon mentioned, it's probably just as well to lock down the box and not run anything you need; the basic premise of a firewall is to provide a protective barrier to other systems.
  2. The redundancies in top are not insignificant. A cracker could easily upload a binary and rename it whatever (init, identd, etc.) and without doing careful analysis, makes a top list with redundancies removed useless.
  3. Concerning 2.4 Linux kernel releases and the notion of "official tested distribution", I don't think there's such a thing. Linux kernels do not submit to any QA process. Two of the seventeen 2.4 releases have been flagged as "don't use" -- i.e., showstoppers (the last being 2.4.15 which had a filesystem corruption bug). This might be an argument to switch to *BSD, but I'm not sure about that.
  4. In Bob's case, it appears that this is a production box. Telling him to switch to *BSD isn't really an immediate solution. It might be a longer term alternative for him to consider. (Refer to point 6, below though.)
  5. Switching to *BSD might not be all that helpful. Bob has publicly disclosed two incidences of his boxes getting cracked. There is evidence of what I consider to be shortcomings -- use of ftpd, old kernels, SSH1 protocol, use of Webmin -- some of which are egregious (particularly ftpd and old kernels).
  6. However, there is clear indication here that whoever is responsible for server security simply isn't good enough to do the job, whether on OpenBSD, Linux, Solaris, you name it. I mean, there's very elementary stuff not being done here (e.g., banishing ftpd).

I think that Linux can be a relatively secure OS, but it certainly is not from a shrink-wrapped distribution (especially an older one like RH 7.0 that hasn't been actively upgraded and fed the latest kernels). Nowadays, Red Hat is marginally more aware of security issues for its basic software installation, but everyone who installs it must realize that the software installer is designed for maximum hardware compatibility, and not optimized for performance nor security.