in reply to
Security matters: keep thy doors closed!
merlyn started an excellent thread on writing secure
Perl code here.
Two things that really ought to be considered when
securing a box:
Follow your software. You don't necessarily have to
follow BUGTRAQ (although it's a damn good idea), but if
you don't at least check for security patches every week
for your OS and daemons, you're in trouble. The Code
Red worm proliferated as widely and as quickly as it did
mostly because systems weren't being patched to close
the hole it exploited.
Of course, very few of us have the time to constantly
monitor software for available patches and upgrades,
evaluate any patches that come along, and install the
useful ones in a timely manner. That's where our
favourite system-administration language (no, not
ksh!) comes along. Some clever work with
Mail::Audit can pull interesting-looking BUGTRAQ
messages out of the noise for your attention, and a
weekly cron job to check the status of your favourite
packages from the FreeBSD Ports tree (or Freshmeat, or
whatever) can at least spare you the burden of
remembering to do it by hand. (When I get a few dozen
round tuits, I'll finish and post my stuff.)
If you're running an MTA, ferglubsakes make sure that
your box isn't an open relay. Open relay abuse isn't as
sexy a computer crime as your bog-standard remote root
exploit (or VBscript worm), but it is an attack:
someone's using your box without your authorization to do
(very impolite) things you didn't intend it to do. Make
sure your MTA's locked down, and nobody's going to have
to blacklist you.
Update: Oh, and flame, flame for using the
deprecated sense of hacker.
Update 2: So merlyn didn't provide any concrete,
spelled-out "this is a common problem, this is how you
solve it" examples in that node, but IMAO
the "design for security" mindset is at least an order of
magnitude more important than a cookbook approach based on
checking off a list of common vulnerabilities. That said,
the thread as a whole is more useful than merlyn's node
taken by itself -- not the least thanks to cjf's
response -- so I've changed the wording a bit.
The hell with paco, vote for Erudil!