On Tuesday, August 27, 2019 4:37:24 AM MST David Kaufmann wrote: > Both option have their disadvantages - in the case of "maintainer opens > ports" the ports are open as soon as the package gets installed, and > software not run/installed via package manager will give the impression > of "just not working". Why in the world would somebody from the security team recommend opening a port on the firewall as the software is installed, before it's even configured? > Also a firewall is not that much protection as it looks like - imagine > any port (above 1024) which was opened on the firewall (either by > maintainer or user), but where no program is listening on. The > additional barrier to run e.g. a c&c server on that machine would just > be an additional portscan in before deploying the malware. Just running a firewall reduces the attack vector needed to deploy potential malware to begin with. > As the issue of "users piping stuff through wget/curl to sh/bash" also > was mentioned: > In such a case any firewall won't help, as outbound connection usually > are not filtered - also those tend to run on port 80/443 anyways, which > usually is open even in heavily filtered networks. Feel free to read that as "users shooting themselves in the foot", it was one example of running a potentially malicious program by accident that I figured everyone here would understand. -- John M. Harris, Jr. <johnmh@xxxxxxxxxxxxx> Splentity https://splentity.com/ _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
