VanLUG Email Archive
Brian Edmonds (brian@gweep.bc.ca)
20 Oct 1998 16:22:25 -0700
Harondel J Sibble <help@pdscc.com> writes:
>> Seems like more work to me than just poking a hole in your firewall,
>> starting xntpd on boot, and forgetting about the whole thing.
> Everything I've read on the net and in the above and other books says
> that one should ALWAYS avoid enabling extra ports through a firewall,
> especially things like time stuff!
Sure, you can obviously put up a firewall with no holes in it, but then
one has to wonder why it's there at all since it would be just like
having no network connection.
There's nothing special about the various time ports except that it's a
service that most sites don't actually use, thus don't need and by basic
security precautions should turn off. For those of us that actually
consider maintaining good time syncronization to be important, it's an
acceptable tradeoff.
Useful security lies not in saying "turn it off", but in asking "do I
need this?" followed by "do I understand this?" If the answer to either
is no, then you should probably turn it off. Quite bluntly, the average
Linux D00D is probably much more at risk from the IRC, ICQ, CGI, and so
on gunk s/he installs than from running a time server.
Or from known holes. How many of you are still running BIND 4.9.6 or
qpopper 2.4? I would be unsurprised if quite a number of sites are
still running that old bind, and don't even know it, and are wide open
to attack just as soon as some script kiddie happens to scan them.
Brian.
This archive was generated by hypermail 2.0b3 on Mon 02 Nov 1998 - 03:23:17 PST