[vox-tech] security

Rick Moen rick at linuxmafia.com
Sat Aug 16 08:26:02 PDT 2008 

[I'm assuming and hoping Bill won't mind my posting this on-list.]

Quoting Bill Broadley (broadley at gmail.com):

> Heh, I pissed off your mailserver, a recent change to our aliases had left
> out postmaster, and your server seems to cache it's probe of the postmaster
> address.  Presumably the cache expires at some point.

Sorry about that.  Upon seeing your note (above), I exempted
cse.ucdavis.edu from the checks for RFC-mandated mailboxes (abuse and
postmaster).

> I'll try to resend my previous mail later, but I did want to mention
> that I do agree with Ranum in that patching to justify running crappy
> software is inexcusable.  But I pick my network facing applications
> rather carefully, things like postfix, apache2, ssh, ISC bind, etc.

Well, FWIW, I think all of those things are overfeatured for most/many
deployments.  BIND9 is, even after Nominum's from-scratch rewrite that
replaced the BIND8 spaghetti code, still a mess at the design level and
OpenSSH is sadly dependent on the horribly buggy OpenSSL spaghetti code.

Apache2 is reasonably implemented but has way, way too much that it's
willing to do.  It's capable of being locked down, which is the good
news in that picture, but I personally prefer Lighttpd or even
Boa/thttpd for many deployments.  I respect Postfix, but wish there were
a general-purpose MTA that was a _bit_ more bare-bones.  

If you implement less overfeatured alternatives _or_ limit the
functionality of the overfeatured thing you did choose, you can probably 
ignore most security advisories after skim-reading them to make sure you
have buggy module [foo] disabled, and thus elude the patch treadmill.
Note Ranum's example:

  Back in 1996 a buddy of mine and I set up a web server for a
  high-traffic significant target. It was not the White House; it was a
  porn site. We invested 8 hours (of our customer's money) writing a small
  Web server daemon that knew how to serve up files, cache them, and
  virtualize filenames behind hashes. It ran chrooted on a version of UNIX
  that was very minimized and had code hacked right into the IP stack to
  toss traffic that was not TCP aimed at port 80. 10 years later, it's
  still working, has never been hacked, and has never been patched.

When I was chief sysadmin at a one-time famous Linux company in San
Francisco, I insisted (against management qualms) on using a
stripped-down Boa installation for an important site deployment.  Years
later, when the firm shut down, I believe they were still running my
unpatched installation, and with no problems.

> But even when you make decisions where you carefully consider the
> security implications and try to pick the most practical solution not
> patching for 5 years seems impossible at least for a non-trivial set
> of servers and services.

Ranum begs to differ.

I'm still working on getting OpenSSL out of my life.  Maybe GNU TLS will
turn out to be less of a basket case -- but that's been a problem area,
and difficult to replace.

More information about the vox-tech mailing list