information from someone who routinely audits Windows and Linux machines
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
With RH9, sendmail was the default, and I am almost positive it was running by default. I forgot if FC1 had it going by default, but it seems like it was.
KMail is not supposed to be run as root. (dnaber, 2002-11-13)
Many systems prohibit the access to the root mail account via pop3 protocol. Tip: If you want / have to read the mail of root let the mailsystem forward the mail to your user account by adding the file ~/.forward to root's home directory. The content of this file should be your email address. (Ferdinand Gassauer, 2001-03-20) http://kmail.kde.org/security.html There we are.
Sendmail is on by default, but it's configured to only send outgoing mail and transfer messages from localhost. The user has to edit the sendmail config in order to have it bound to an external IP and accept remote connections.
Slowly but surely I guess. Hopefully they'll turn off some of the other crap like Portmapper and NFS in the default config as well. To be fair though, most of the other linux distros are just as bad as Redhat . The few exceptions would probably be hardened, security-oriented distros.
Originally posted by Capt_Caveman Sendmail is on by default, but it's configured to only send outgoing mail and transfer messages from localhost. The user has to edit the sendmail config in order to have it bound to an external IP and accept remote connections.
If I remember correctly, the lockdown to localhost was introduced in RH8.
Originally posted by benjithegreat98 I agree with what you said, frogman, execpt for the above statement. The first thing I do when I install an OS is turn off the unnecessary net services. Windows or Linux. Install RedHat or FC and see what is running. It is definately not a "bare bones" setup. I would say at the very least, ssh is running on almost any distro. Not everyone needs ssh. I see sendmail running already on most of them.
Ok statement qualified: almost none
I know Slack and Debian have unwanted services running at first boot, but it's ages since I looked at Red Hat. The distro I install the most is Mandrake 9.1 (because it has a high initial success rate on $random_laptop_hardware IME).
Specifically, towards then end of the installer, you're prompted (if you've selected server x, y and z), that they're on by default and is this OK. Then (about two screens later) gives you a list of services that will run on boot which you can toggle on or off.
The only running services you can't change / stop listening before the first boot is the X-server which (IIRC) only listens on the loopback and is blocked by netfilter. SSH isn't installed by default, nor is sendmail.
So, very distro-specific, but for where I install it, it's easier to stop X listening on the loopback than to harden Win2K / XP on umpteen laptops.
I was speaking in general terms. I am fully aware that *nix is easier to harden than a Windows machine. Believe me, no arguement there. But just about every Linux install (I'm sure there are other exceptions than the one you mentioned, too) will have unnecessary services running. I did install mandrake 9.1 one time, and I admit, I did forget that it does give you the option at install to toggle off unnecessary services. Maybe, when I said sendmail was running on most of them it should have said "some" of them. But anyways, the point I was trying to make is that, in general, Linux is not necessarily in a secure state after the installation.
Originally posted by frogman
I'd take a clueful windows admin over a newbie linux guy any day.
[/B]
Are there still clueful windoze admins about? I work for a HUGE services company and it took them 10 days to respond to a "can I get read access to \\server\foo to download my new project?" When they did respond, they said " are you running XP or 2K?" WTF? Hey, after 1 day I just found someone else to get it for me. BTW, this is the shortest story, not the worst story.
Prior to this most of the big companies I did business had admin staffs that with were so lacking in knowledge that their managers were frightened to death of touching the servers. They might as well have run on black magic voodoo for all they knew. Tell them they needed a vital security patch and they would hem and haw for weeks trying to avoid having any problems blamed on them.
And yes, it is very easy to programatically raise the access level for exploits in windoze (you have to to right a shutdown program), but so many people run as local admins anyway...the true open door is MS Office VBA exploits. Oh man, that's a fertile environment.
Originally posted by sick-o-windoze Are there still clueful windoze admins about?
I have 5. No clue = no job.
Quote:
I work for a HUGE services company and it took them 10 days to respond to a "can I get read access to \\server\foo to download my new project?"
maybe they don't like you? (joke)
Quote:
but so many people run as local admins anyway..
Not on my network - no-one runs as root / admin. Messing with your machine is just asking to be given a typewriter for a week. (Yes, it has been done, they deserved it and their line manager laughed when they complained to him).
Originally posted by sick-o-windoze Are there still clueful windoze admins about? Oh man, that's a fertile environment.
Yes it is! I have plunged deep into my doz boxes - - but I am outa doz now but I still know a bit about it. The most useful tool I ever enjoyed was Zone Labs Zonealarm firewall. After that was how to work in the registry editor, sadly an -after the fact- deal.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Quote:
Originally posted by sick-o-windoze Are there still clueful windoze admins about?
More than you might think. My job description is installing hardware/software for enterprises, so I see more networks than most people. I'd say maybe 1 in 4 or 5 companies actually have pretty decent IT teams. OK, so the ratio is horrible, but that does mean there are a lot of people out there who know their stuff.
Possibly the most bizzre install I ever did was trying to show a guy how to use our software while he was RDP'ing into about 40 servers and installing the patch on them for the RPC/DCOM exploit, desparately trying to beat Lovesan/Blaster. Talk about overworked and underpaid
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.