Quote:
I'm sure, however, that we can agree that disabling services is not a replacement for a proper firewall setup (and vice-versa to a certain extent).
|
Very true. Disable the unneeded services AND put a firewall.
A few ideas in no logical order:
GNU/Linux gives us the ability to understand the inner parts of the OS. Tweaking and closing ports is usually very easy.
Why would you leave a service that you don't need? You disable it and when you need it again, you re-enable it.
The drawback of this, is that when something does not work it can be hard to track down what you have to re-enable again. I use rc init level for this.
My default run level has nothing I don't need. The others are untouched.
The same for the kernel, I have a custom kernel with the minimal stuffs and when I want to try new hardware/.. , I'll take the packaged kernel to be sure to have full features to see if it works. Then I'll create a new custom kernel.
It's always a trade-off between usability and security.
Depending on the context (home user,school, company,..), the need of the users is different and the sensitivity of information is not the same.
As an example in my company, only http goes out. We don't need more. Ok I would need bittorrent but my admin for unknown reasons refuses lol.
In a university I was before, all ports were opened to the outside, that was great for the users.. and for the bad guys.. we got compromised several times, but there was no sensitive information anyway.
If you look at any serious security checklist you will see two major things, which in fact are common sense!
-> Privilege. Why would you start your proxy server as user root when it doesn't need root unlimited power.
-> Services. Why would need stuffs that you don't need. Are YOU able to say that these services are 100% bug-free? Not me.
Windows has failed on these two points.
We are here talking of inbound access but do not forget about outbound access. Reverse shells exist, even vnc can be launched as reverse, which means that somebody can start vnc server on your machine and vnc server will connect to vnc client. If your firewall also blocks the outbout access, it will give more headache to the bad guys. After you've done basic hardening, make the life of the cracker harder (otherwise it's not funny for him ahah)
Monitoring bandwidth (possibly on another bastion machine) can also be good. Outbound/ Inbound. If during the night you see a peak of traffic, there's something wrong..
Also do not forget to make regular backups.
My rule:
- Do everything to not get cracked
- I will be cracked, so what should I do in this case. After compromise, it's too late. Yes this costs money for something only potential.. But sometimes less money that reinstalling or re-asking all your customers their information.
As soon as a door has been found, it's your system security that'll be checked. If you have rogue accounts or poor passwords or old kernel, etc.. , it won't take long.
Now I'll be fussy: For the people who say that leaving _unneeded_ services listening on localhost is not a risk: Well, if somebody manages to enter on your machine as a user, or use an opened service to bounce on this localhost service, he can get higher privilege or send spam or whatever.
Sleep well
ps:
dickeyp, can you scan my machine also, it's
www .microsoft.com (I swear)