[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Security Hardening Update RaQ4

Subject: Re: [cobalt-users] Security Hardening Update RaQ4
From: "Jonathan Michaelson" <michaelsonjd@xxxxxxxxxxx>
Date: Thu Aug 8 15:35:29 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Andy,

> > "Security Hardening patch for the Sun Cobalt RaQ 4 server appliance.
> > Includes port scan detection and buffer overflow detection."
> >
> > http://sunsolve.sun.com/patches/cobalt/raq4.eng.html
> >
> > I haven't cracked it open yet to look at it and don't think Cobalt has
> > announced it either. Any insight?
> </snip>
>
> I've just applied it to our RaQ4 here, it already had ipchains and
portsentry manually installed with rulesets installed.
> Nothing was modified or damaged in the install, and as already mentioned
the new entries have been added to the Control Panel.
> I've yet to test out the security options, but will be doing so later
today to check portscanning, etc alerts, although i'll probably stick to
using portsentry.
> I didn't do a reboot, as I don't believe in them, and the pkg still
appears to have restarted/loaded correct and set itself up.

You should do a reboot in this instance. There's a new kernel in this
update.

I've installed it on a test server and tested out the port scanning
functionality and it works wonderfully. It' much more effective than
portsentry on its own since it operates directly with the ethernet port,
though you probably don't gain anything over a portsentry+ipchains
configuration.

It appears to use the same firewall as the Qube3 package (Sun's Phoenix
FireWall) and you can monior activity of that in /var/log/phoenix.log

As for the buffer overflow protection, they've implemented Immunix'
StackGuard http://www.immunix.org/ . This protects against "stack smashing"
and uses a replacement GCC compiler. What they have done is rebuilt the
existing binaries for the port exposed daemons plus the kernel to prevent
this type of attack. This is why if you've upgraded any of the typical
services such as proftpd, sendmail, apache, qpopper, imap bind, telnet and
your kernel it will be downgraded to the Sun Cobalt standard version.

It seems like a very handy update.

One point of interest, there is a warning in the configuration of the port
scan protection that if you go beyond just logging and switch on blocking it
does warn that you may open yourself to DOS attacks. It's obvious why, but
will be interesting to see if and when people are affected by this.

Funny that it's not actually been announced - who feels like a beta tester?
--
Regards,
Jonathan Michaelson
Commercial CGI Scripting, Web Hosting
Web-based Email, Homepage Creation and Live Help products
http://www.webumake.com

Follow-Ups:
- RE: [cobalt-users] Security Hardening Update RaQ4
  - From: Frank Surget

References:
- RE: [cobalt-users] Security Hardening Update RaQ4
  - From: Andy Brown

Prev by Date: [cobalt-users] Re: [rt-users] Using RT w/ Perl::Mason on Cobalt with Virtual Host
Next by Date: [cobalt-users] SMTP Relay Rejections
Previous by thread: RE: [cobalt-users] Security Hardening Update RaQ4
Next by thread: RE: [cobalt-users] Security Hardening Update RaQ4

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index