On 04/10/2018 01:22 PM, Joe Zeff wrote: > On 04/10/2018 01:03 PM, Rick Stevens wrote: >> 4. Use a highly restrictive firewall. Mine's set up so that NOTHING >> unsolicited gets in except ssh from specific IPs and DNS responses. >> > > That's a good idea, but remember, DNS responses aren't unsolicited; > they're replies to queries you sent out. True, but old DNS uses UDP and thus the responses aren't "related" to a given query (a stateful firewall couldn't necessarily determine that an incoming DNS UDP reply was solicited or not). >> 5. Don't disable SELinux. This may be a pain, but it can catch some >> nasty stuff. > > And not just malicious code, either. SELinux used to prevent Google > Earth from running because of something called "text redirection." > Looking it up, it's a way to hook into an interrupt so that your code > gets executed first, then the regular code. This was a common way to > hook in TSR programs back in the MS-DOS days, and several could be > daisy-chained to the keyboard interrupt. Not only is it a way to add > malware to a program, it can cause strange problems if the program > crashes and/or doesn't clean up properly on exit. I'm not accusing > Google of offering malware, just of using outmoded methods to connect > their programs to the system. Later, of course, they cleaned up their > act and SELinux stopped blocking them. It also caused problems with one > BOINC project about a decade or so ago because it was trying to walk > *all* of /proc for no good reason. Enough of us reported it that the > maintainers pulled it until they could fix the bug. Again, not malware, > but still something that needed correcting. Another one SELinux keeps from running is ZoneMinder (ZM) or other webapps that use Perl. I put in a lot of rules to let ZM run at my house. They're carefully crafted, I know what the rules do (and they're all ZM-specific), but those who don't grok SELinux will disable SELinux or put it in permissive mode to run ZM (and other programs like it). Not good. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - Brain: The organ with which we think that we think. - ---------------------------------------------------------------------- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
