LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

January 2017

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS January 2017

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Adventures with 7.2
From:	David Sommerseth <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Mon, 9 Jan 2017 15:04:55 +0100
Content-Type:	text/plain
Parts/Attachments:	text/plain (62 lines)

On 08/01/17 05:18, jdow wrote:
> On 2017-01-07 19:30, David Sommerseth wrote:
>> On 06/01/17 23:56, Konstantin Olchanski wrote:
>>> On Sat, Dec 31, 2016 at 04:28:04PM -0800, jdow wrote:
>>>> ... new 7.2 machine.
>>>> ... SELinux issues.
>>>>
>>> You *must* disable SELinux in CentOS-7.
>>
>> *That* deserves the price for the worst advice in 2017.  With '*must*',
>> that is just a way too strong advice which I hope nobody really
>> considers strongly.  It's as equally bad as saying "disable and flush
>> iptables because it blocks connections to your host".
>>
>> I honestly hoped we had moved much further forward than this ...
> 
> I have turned SELinux permissive to try to track down problems. It
> removes one giant unknown variable from the picture. I seldom leave it
> that way very long.

Which is the proper way to do it!

> And in a fairly clean (no servers) install iptables opened wide for
> brief periods can be considered "safe enough". 

Absolutely right!  Of course you should do a security assessment before
doing it, just to have an idea of the worst possible outcome and
consider if the risk is worth it or not.  But in many cases, this might
be very sensible to do.

> Now, if you have a
> telnetd running (but --- why would you do something so stupid?) opening
> the firewall is suicidal.

Yes.  But there might also be misconfigured inetd/xinetd services, http
servers providing information which should be restricted, databases,
various management interfaces, etc, etc.  Hence the security assessment
is a practical exercise before doing such a stunt.

Running 'ss -lntup' gives you a pretty good idea what the consequences
might be.  Of course if the box is routing traffic to other subnets,
that may also increase the risk.

> Blanket disabling both of them at once, permanently is stupid beyond
> belief, IMAO.

Yes!

> OTOH the people who got in so easily might figure it's a
> honeypot or something and walk away. But that's a stretch.

You're probably right, especially if the purpose of an attack was to get
insight.  If it was a drive-by-bot just wanting to install a spam-bot,
crawler or similar slave node, such details can just as well be ignored
on a target system.

-- 
kind regards,

David Sommerseth

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV