[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Cfservd access through firewall - dangerous ?
From: |
Adrian Phillips |
Subject: |
Re: Cfservd access through firewall - dangerous ? |
Date: |
29 Apr 2002 12:30:38 +0200 |
User-agent: |
Gnus/5.09 (Gnus v5.9.0) Emacs/21.2 |
>>>>> "Mark" == Mark Burgess <Mark.Burgess@iu.hio.no> writes:
Thanks for the quick response Mark.
Mark> On 29 Apr, Adrian Phillips wrote:
>> - a DoS against cfservd seems to be relativly difficult to
>> accomplish as it does so much checking
Mark> A lot of thought went into this!
I'd gathered that :-)
>> - is it theoretically possible to "modify" cfservd such that
>> it overwrites configuration files such that somebody could
>> damage all the servers under cfengines administration ?
>>
Mark> I assume you mean by a malicious party: of course, friendly
Mark> fire is always the biggest problem. An admin can always
Mark> program cfengine to do harm! But otherwise...
Yes, sorry, I meant somebody cracking the cfservd through the tunnel.
Mark> No, not unless there were a buffer overflow. I have also
Mark> worked very hard to make this impossible through design.
Mark> Time will show...but so far cfengine's track record is
Mark> rather better than any other popular software I can think
Mark> of...:)
Yes, I'd tried to search on the internet if cfengine ever had any
problems in older versions but couldn't find any.
>> - even worse, would it be possible to get a shell prompt on the
>> cfservd server ?
Mark> Again, only by buffer overflow or admin stupidity.
Mark> THe main weakness is in getting access to the master
Mark> cfengine files. If you could, for instance, use ftp to
Mark> break into the master machine and change the cfengine
Mark> config, then you have the perfect way to do whatever you
Mark> like with the system.
One reason I intend not to have ftp on this machine.
>> I suppose one solution to this concern is to mirror the
>> cfengine setup to an external cfengine server.
>>
Mark> Protect the source!!
Of course. In addition to mirroring to another machine I'm going to
use iptables, chroot and user-mode-linux to make it very difficult to
break in and out.
Mark> I would very much like to see someone write an article for
Mark> ;login: or something on the topic of using cfengine
Mark> with/through a firewall.
Mark> Go for it!
I must admit I hadn't a clue what you meant by this until I goggled
for ;login:. I don't know whether my writing skills are quite up to an
article but I'd write something that could be added to the Tutorial,
although it will be some weeks before I've setup this.
Sincerely,
Adrian Phillips
--
Your mouse has moved.
Windows NT must be restarted for the change to take effect.
Reboot now? [OK]
Re: Cfservd access through firewall - dangerous ?, Adrian Phillips, 2002/04/29
Re: Cfservd access through firewall - dangerous ?, Mark . Burgess, 2002/04/29
- Re: Cfservd access through firewall - dangerous ?,
Adrian Phillips <=