Re: a couple of friendly Owl security questions / comments

From: Solar Designer (solar@private)
Date: Mon Oct 21 2002 - 14:30:34 PDT

On Mon, Oct 21, 2002 at 12:34:53AM -0000, soso@private wrote:
> I am blown away by the high level of security in the standard Openwall 1.0
> install - Amazing job to all concerned!


> I have a couple of comments and
> questions, though.  First, I had to `echo 1 >
> /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts`.  Is there a reason this
> isn't done by default in order to discourage the use of Openwall boxes for
> icmp DDoS attacks?

No, no special reason.  I've added it to my TODO and will hopefully do
soon (it's trivial, but needs to be documented in sysctl.conf comments
properly).  This is not the only default sysctl setting that we could
want to change.  I am still unsure for SYN cookies, but we'll probably
turn them on despite the very small added risk of bypassing certain
packet filter setups with it (there's no longer a need to send a SYN
if one manages to guess the sequence number for the SYN/ACK packet).

> Secondly, I had to disable ctrl-alt-del reboots. 
> Though this is more of a "personal choice" issue, it seems that allowing
> anyone who can get their hands on the keyboard to reboot the machine
> (possibly with a nasty floppy or cdrom in the drive) is insecure.

It doesn't make much sense to change default for just the console
reboots.  It would only make sense if we also provide a restrictive
default boot loader configuration (otherwise there's always
"init=/bin/sh" and other tricks) and tell the user to possibly secure
their BIOS/firmware setup.  But even then, letting people with
physical access request a reboot is generally just a convenience.
Such that they don't have to do it by hardware means.

> And finally, it would be nice if `wipe` or some other secure deletion
> program were included in the distro :).

There's shred(1).  We even used to patch its man page to document
possible cases when it fails to work, before that piece got into the
official man page of a newer version (which we've since updated to).

> Thanks for putting together such a squeaky-clean distro.  Now I can sleep
> well at night...

You're welcome.


This archive was generated by hypermail 2.1.3 : Sun Jan 15 2006 - 13:43:17 PST