Another security problem..

[Matthew Nuzum]

> -----Original Message-----
> From: fedora-legacy-list-bounces at redhat.com [mailto:fedora-legacy-list-
> bounces at redhat.com] On Behalf Of Jim Popovitch
> Sent: Thursday, October 20, 2005 3:30 PM
> To: Discussion of the Fedora Legacy Project
> Subject: Re: Another security problem..
> 
> Matthew Nuzum wrote:
> >
> > But that's not my point... if you run a web-facing server there are some
> > plugins for nessus that cause it to search for known-vulnerable web
> > applications and such. It's a good idea to run it periodically so that
> you
> > can find if you're exposed before someone else does.
> 
> You are assuming too much of nessus.  Your logic requires nessus to know
> to check for *all* vulnerabilities.  I don't have that much faith in any
> product, even open source ones.  The best way to run a secure server is
> to not trust other tools and software.  Do your own checking,
> investigating, and *don't* run suspicious, or even mildly problematic
> (i.e. php), software.

If you're saying, "it's not enough to just run Nessus..." I agree with you. 

If you're saying that running Nessus is useless, I disagree. It is an
excellent tool for finding out if you're running software that has known
vulnerabilities. I might go so far to say that if you only run one tool for
doing vulnerability analysis then it should be Nessus. I'll admit I've not
used a single commercial vulnerability assessment product so my experience
is far from comprehensive.

Thanks for the suggestion for monitoring log files. You're right about
hosts.deny. I'd go so far as to say that hosts.deny is practically useless
these days since so few of our networked applications rely on it. But
individual applications such as Apache have a similar concept.

-- 
Matthew Nuzum <matt at followers.net>
www.followers.net - Makers of "Elite Content Management System"
View samples of Elite CMS in action by visiting
http://www.followers.net/portfolio/