[Gllug] Secure Internet Access Linux Box

Kim Hawtin kim at aldigital.co.uk
Fri Jun 21 07:09:25 UTC 2002


On Fri, Jun 21, 2002 at 07:13:10AM +0100, Mark Preston wrote:
> I seem to recall speaking to a Cambridge graduate and Perl guru after the 
> last GLLUG meeting I attended in February,  and who's name escapes me, and he 
> was explaining that running X is basically insecure. 

the issues with X windows that you are refering to are about
Authentication and Authorisation. not "security" over the wire as
such. and no "tunneling" it over ssh is not the answer.

> I was with Frank Sutton 
> and Anthony Shaper in the Green Man pub at the time. The topic was making my 
> head hurt, 

talking to MBM at the best of times makes my head hurt too...

> but after the third pint of beer I felt a bit better. To be really 
> secure would it not be better to run everything through a "hardware" firewall 
> such as IPCop or Smoothwall?

this is not the answer to fixing X windows.

> Notwithstanding what I have just written above, I would think that running 
> say Mandrake 8.2 secure which doesn't allow root to run X woud be pretty 
> secure for most purposes, and it also allows normal users to run X. Even 
> running any type of Linux is likely to be less susceptible to viruses than an 
> IE/Windows set-up I would think.

if you have ports open to the world that you use for authentication
and authorisation then you are open to more attacks than just DoS.

the X windows "problem" is about how the overall model works, it
treats other machines on the network as trusted.

remember this was designed at about the same time as rsh and rlogin
was ... and now we have replaces these two with ssh.

the chunks of X windows that are vulnerable are using the same kind
of thinking that rsh does, and would take some serious effort to
bring it up to the same level as ssh...

kim
-- 
:Kim_Hawtin:--------------------------------------:-----------------:
| A.L. Digital Ltd.   Tel: +44 (20) 8742 0755     | "To hell        |
| The Stores          Fax: +44 (20) 8742 5995     |  with pants"    |
| 2 Bath Road         http://www.thebunker.net    |   - Bragi   -o) | 
| London W4 1LT       http://www.aldigital.co.uk  |             /\\ |
| UNITED KINGDOM      mailto:kim at aldigital.co.uk  |            _\_V |

          cat /dev/sda > /dev/dsp -- music is art


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list