View previous topic :: View next topic |
Author |
Message |
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Thu Aug 03, 2017 5:53 am Post subject: |
|
|
Amity88 wrote: | Fitzcarraldo wrote: | Amity88 wrote: | It's there is both SLES 12 as well as RHEL 7. |
And Ubuntu, since Ubuntu 15.04. Ubuntu Server is popular in commercial installations too.
I know someone with an Internet-facing server running Ubuntu Server 16.04 and he gets much the same attacks as my non-systemd Internet-facing server (i.e. a hell of a lot of attacks, whatever the init system). Providing an Internet-facing server is properly protected with a good firewall and a good NIPS with frequently updated rules sets, as we both are, I don't see why there would be any significant difference in the number and success of attacks on Internet-facing servers using systemd and those not using systemd. |
I dunno much about NIPS. I take that they're kinda like an antivirus package on the hardware level which works with packets?
Out of curiosity, what do you think of this (typical?) scenario ?:
1. You have a program listening on a port on the server (e.g. HTTPD on a web server)
2. Say the firewall closes all other ports except for this one.
3. An attacker exploits a vulnerability in this program and gets local restricted access (the firewall would be bypassed)
4. Say he eventually manages to break out of any containers that this program runs in. (I recently heard of a vulnerability in Xen that allowed guests VMs to modify stuff on the host)
5. NOW at this stage, wouldn't it make things worse for us if the server happens to run SystemD? I mean with all the silly holes, it might be trivial to get root and own the system, wouldn't it? |
A firewall alone is not going to provide complete protection if you're running e.g. a Web server or Cloud server. What is an Intrusion Prevention System gives a brief explanation of a NIPS. Enterprise NIPS run on their own dedicated hardware (e.g. Cisco Firepower series). IT equipment manufacturers (Cisco, Juniper, Palo Alto Networks, etc.) sell NIPS hardware and, even more sophisticated, next-generation firewall hardware (firewall+NIPS+DPI++). For home and small business use, FOSS SNORT software (from Cisco, since they bought Sourcefire and use SNORT in some of their hardware) is a decent NIPS if configured properly (albeit very compicated to configure and full of pitfalls). SNORT is a NIDS unless you configure it to be a NIPS, and, despite the hundreds of Web blog posts and YouTube videos telling you to configure SNORT to use the afpacket DAQ module to create a NIPS, that is not a secure way to create a NIPS; the way to go is to use SNORT with the nfqueue DAQ so SNORT gets iptables to really drop the packets of exploits rather than SNORT just sending RSTs which HTTP/HTTPS traffic can eventually get through.
Regarding the scenario you postulated, this is one of the reasons for using a NIPS. The firewall lets the packets through but the NIPS will detect the attempted exploit if one of the automatically-downloaded rules (this morning my server downloaded 32,487 SNORT rules, for example) covers the exploit. A NIPS will not protect you from a zero-day exploit though. At that point, I personally would feel more comfortable if my server were a non-systemd system. But then there are plenty of exploits for non-systemd systems too, hence the increasing rules sets that NIPSs download. My non-systemd server is constantly bombarded with attempted exploits that SNORT detects and drops. Actually, the continuous SSH login attempts by script kiddies (mostly from China), annoy me more. But I have created an automated script that adds them to my own SNORT rules set, so they get dropped too. _________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Thu Aug 03, 2017 6:34 am Post subject: |
|
|
Fitzcarraldo wrote: | Regarding the scenario you postulated, this is one of the reasons for using a NIPS. |
At this point, NIPS is just another layer of defense-in-depth, as the firewall is a layer, as containers are a layer. With respect to systemd, I don't think defense-in-depth was ever meant to allow one layer in particular to be weak, I think it was meant because weaknesses happen, even with the best of intentions. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Thu Aug 03, 2017 7:19 am Post subject: |
|
|
depontius wrote: | Fitzcarraldo wrote: | Regarding the scenario you postulated, this is one of the reasons for using a NIPS. |
At this point, NIPS is just another layer of defense-in-depth, as the firewall is a layer, as containers are a layer. With respect to systemd, I don't think defense-in-depth was ever meant to allow one layer in particular to be weak, I think it was meant because weaknesses happen, even with the best of intentions. |
I don't think that either. My intention was not to imply a NIPS is there to allow one layer in particular to be 'weak', as you put it. Certain attacks will not be detected by a firewall because they are perfectly valid traffic from a firewall's point of view, however their content could be malicious from a Web server's point of view, SSH server's point of view, etc. Therefore a NIPS is not what I would call 'defence-in-depth'* in such a situation; it is the only defence. I'm not running systemd on my server, but nevertheless if I did not have a NIPS there are exploits that the firewall would correcly allow to pass through and could attempt to exploit the installation. As I wrote in reply to Amity88, "At that point, I personally would feel more comfortable if my server were a non-systemd system."
* I regard 'defence-in-depth' more as redundancy via different methods of protection against the same threat. For example, I did not mention previously that I also use TCP Wrapper to blacklist SSH attackers in addition to using SNORT to blacklist those same attackers. That is what I classify as 'defence-in-depth'; if the SNORT process crashes for whatever reason and therefore can no longer apply my local SNORT rules against specific SSH attackers, TCP Wrapper will give me that protection until I get SNORT back up and running. In fact I have implemented a third level of redundancy, but I won't go into that here. _________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
tld Veteran
Joined: 09 Dec 2003 Posts: 1816
|
Posted: Sat Aug 05, 2017 5:11 pm Post subject: |
|
|
A friend of mine, whose computer use is pretty much limited to web browsing and email, and who's totally had it with Windows 10, is considering a Chromebook. Just curious...does Chrome OS still use upstart? It appears that's the case, but I wasn't sure. |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Sat Aug 05, 2017 5:43 pm Post subject: |
|
|
tld wrote: | A friend of mine, whose computer use is pretty much limited to web browsing and email, and who's totally had it with Windows 10, is considering a Chromebook. Just curious...does Chrome OS still use upstart? It appears that's the case, but I wasn't sure. |
Still uses upstart: See the latest posts in the thread The future of initsystem in Chromium OS. (Mike Frysinger is a Gentoo developer as well, isn't he?) _________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sat Aug 05, 2017 6:39 pm Post subject: |
|
|
In the end the Borg will absorb us all. The time will come when applications won't run without systemd. |
|
Back to top |
|
|
steveL Watchman
Joined: 13 Sep 2006 Posts: 5153 Location: The Peanut Gallery
|
Posted: Mon Aug 07, 2017 2:21 pm Post subject: |
|
|
Tony0945 wrote: | In the end the Borg will absorb us all. | Hehe, but "Resistance is fertile" ;-)
Reaching for NIPS as a "solution" to insecure (aka badly-designed) system software, really is reaching, though.
Yes, I realise they're useful, and needed on open hosts. It's a complete deflection, though, since it's got nothing to do with systemdbust being borked by design. |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6051 Location: Removed by Neddy
|
Posted: Wed Aug 23, 2017 12:36 pm Post subject: |
|
|
When you consider what sysd devs have been doing and how they are tied into redhat... What about stratis
Earlier this month RH depreciated BTRFS, which seemed odd as they had previously marked it as production ready.
The other day Microsoft removed ReFS from home versions of Windows10, this was MS attempt to provide a more resilient filesystem (NTFS already allowed 2^64 files... It just lacked all the other shinies)
Over on [H] a few threads on ReFS removal exist and I was posting in them and I was comparing windows filesystems (fat, NTFS) to ext versions and how removing ReFS was backwards, even if the featureset of ReFS is very low ...
Looking up what the 3 main Linux contenders were raised a worrying path...
Btrfs.. gnu/Foss/GPL compatible "nextgen" system
Zfs ... Licencing concerns otherwise prime candidate
Stratis .... ???
Turns out stratis is XFS with a Daemon to provide VMF capability "on par" with ZFS . By pushing this into userland, and by RH leads to sysd dependancy seems inevitable. Once you start talking about low-level being an established filesystem and a userland daemon with a "rich API" all via dbus to make admin life easier just ticks too many boxes...
Ubuntu have gone the zfs route while everyone is waiting for btrfs to become really ready but this is a bit worrying...
https://github.com/stratis-storage/stratisd/blob/master/README.md _________________
Quote: | Removed by Chiitoo |
|
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
|
Back to top |
|
|
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Wed Aug 23, 2017 8:38 pm Post subject: |
|
|
depontius wrote: | And in other news... D-Bus Broker (I'm sure someone is sure to call it "DBus Borker" shortly, so I'll save you the trouble.) |
Actually it sounds reasonable as long as it is implemented by a professional process with structured documented code not by "code cowboys". |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Wed Aug 23, 2017 10:21 pm Post subject: |
|
|
Tony0945 wrote: | "code cowboys". |
Hmmmm... "code cowboys" or "software philosophy cowboys"? You decide. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
roki942 Apprentice
Joined: 18 Apr 2005 Posts: 285 Location: Seattle
|
|
Back to top |
|
|
CasperVector Apprentice
Joined: 03 Apr 2012 Posts: 156
|
Posted: Thu Aug 24, 2017 7:20 am Post subject: |
|
|
This perhaps? _________________ My current OpenPGP key:
RSA4096/0x227E8CAAB7AA186C (expires: 2020.10.19)
7077 7781 B859 5166 AE07 0286 227E 8CAA B7AA 186C |
|
Back to top |
|
|
Yamakuzure Advocate
Joined: 21 Jun 2006 Posts: 2284 Location: Adendorf, Germany
|
Posted: Thu Aug 24, 2017 7:47 am Post subject: |
|
|
CasperVector wrote: |
This perhaps? |
Quote: | skabus was born after the author fruitlessly tried for months to make D-Bus work on a commercial embedded project and finally gave up in disgust. | Hear, hear! Sounds good, but it seems the author breaks the first rule of free open source software: "release early, release often" _________________ Important German:- "Aha" - German reaction to pretend that you are really interested while giving no f*ck.
- "Tja" - German reaction to the apocalypse, nuclear war, an alien invasion or no bread in the house.
|
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6051 Location: Removed by Neddy
|
Posted: Thu Aug 24, 2017 8:13 am Post subject: |
|
|
Dbus broker looks like a good idea but throws sysd arguement "it must be in the kernel" right into the dumpster.. poor code will always be slow and if the type of complains have really existed for that long for an upcoming that has become the lynchpin "of a modern Linux desktop" wtf are these monkies doing.
These should be fixed and it should not have taken 10years and not some BS political spin to force it into the kernel _________________
Quote: | Removed by Chiitoo |
|
|
Back to top |
|
|
CasperVector Apprentice
Joined: 03 Apr 2012 Posts: 156
|
Posted: Thu Aug 24, 2017 9:05 am Post subject: |
|
|
Yamakuzure wrote: | Sounds good, but it seems the author breaks the first rule of free open source software: "release early, release often" |
I for one do not quite agree with this: releasing early just for releasing early can lead to poorly conceived software, especially when the development team consists of only one part-time worker with multiple projects to manage.
I mean this can work, but often works suboptimally for projects that require careful design; nevertheless this can be useful for projects with tight time schedules (eg. commercial products in a competitive market). _________________ My current OpenPGP key:
RSA4096/0x227E8CAAB7AA186C (expires: 2020.10.19)
7077 7781 B859 5166 AE07 0286 227E 8CAA B7AA 186C |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Thu Aug 24, 2017 12:21 pm Post subject: |
|
|
CasperVector wrote: | Yamakuzure wrote: | Sounds good, but it seems the author breaks the first rule of free open source software: "release early, release often" |
I for one do not quite agree with this: releasing early just for releasing early can lead to poorly conceived software, especially when the development team consists of only one part-time worker with multiple projects to manage.
I mean this can work, but often works suboptimally for projects that require careful design; nevertheless this can be useful for projects with tight time schedules (eg. commercial products in a competitive market). |
To paraphrase, "Software should be released as early as possible, but no earler." Does that do it for you? _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
CasperVector Apprentice
Joined: 03 Apr 2012 Posts: 156
|
Posted: Thu Aug 24, 2017 2:24 pm Post subject: |
|
|
depontius wrote: | To paraphrase, "Software should be released as early as possible, but no earler." Does that do it for you? |
Or even shorter: "it's ready when it's ready" _________________ My current OpenPGP key:
RSA4096/0x227E8CAAB7AA186C (expires: 2020.10.19)
7077 7781 B859 5166 AE07 0286 227E 8CAA B7AA 186C |
|
Back to top |
|
|
ct85711 Veteran
Joined: 27 Sep 2005 Posts: 1791
|
Posted: Thu Aug 24, 2017 2:43 pm Post subject: |
|
|
Quite frankly, the part that stands out to me, is this part
Quote: | No Spec-Deviation
We do not intend to add features not standardized in the D-Bus Specification, nor do we intend to deviate. However, we do sometimes deviate from the behavior of the reference implementation. All those deviations are carefully considered and documented. |
To me, this means they just want to reinvent the wheel, while not bothering to fix the issues. They even said earlier that there is some major issues with the core specifications that can't be fixed with the current specifications. So instead of working to fixing the specification so that it the issue(s) can be solved and still does the same job; they want to recreate it. |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6051 Location: Removed by Neddy
|
Posted: Thu Aug 24, 2017 3:22 pm Post subject: |
|
|
ct85711 wrote: | Quite frankly, the part that stands out to me, is this part
Quote: | No Spec-Deviation
We do not intend to add features not standardized in the D-Bus Specification, nor do we intend to deviate. However, we do sometimes deviate from the behavior of the reference implementation. All those deviations are carefully considered and documented. |
To me, this means they just want to reinvent the wheel, while not bothering to fix the issues. They even said earlier that there is some major issues with the core specifications that can't be fixed with the current specifications. So instead of working to fixing the specification so that it the issue(s) can be solved and still does the same job; they want to recreate it. |
Also, as they state they will deviate from the reference implementation, it may be that applications rely on a quirk of dbus due to poor spec and/or buggy dbus. If a rewrite doesn't work with what's out there it will fail _________________
Quote: | Removed by Chiitoo |
|
|
Back to top |
|
|
Zucca Moderator
Joined: 14 Jun 2007 Posts: 3345 Location: Rasi, Finland
|
Posted: Wed Sep 06, 2017 7:58 am Post subject: |
|
|
Maybe off-topic, but I kinda have to paste this: https://www.amazon.com/dp/B075DYXZW1 _________________ ..: Zucca :..
Gentoo IRC channels reside on Libera.Chat.
--
Quote: | I am NaN! I am a man! |
|
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Wed Sep 06, 2017 12:46 pm Post subject: |
|
|
That gave me a good laugh this morning. I'm looking forward to the reviews, they're bound to be hilarious too. _________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54237 Location: 56N 3W
|
Posted: Wed Sep 06, 2017 4:27 pm Post subject: |
|
|
Reminds me of Fly Fishing by J. R. Hartley :) _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
steveL Watchman
Joined: 13 Sep 2006 Posts: 5153 Location: The Peanut Gallery
|
Posted: Sat Sep 09, 2017 7:25 pm Post subject: |
|
|
Fitzcarraldo wrote: | steveL, just for information (I have no axe to grind and am not an advocate either way), the Brazilian nationwide project ('ProInfo') did and does exist, funded by the Federal Government, although much of the information on the Web is obviously in Portuguese. You are right that Userful and its Brazilian representative ThinNetworks have since moved to promoting thin clients instead of multiseat in the X.Org fashion. | I've never doubted its existence; only the "technical arguments" presented as to why Poeterring's deluded vision of "multiseat" is in any way a useful thing.
Note the "multiseat" discussed is not X, which has had the concept of "display" since the beginning. That's all "seat" is: a neologism for an existing, well-defined term.
At most it's from fdo, which is at best a clique in any case (imo of nubs, judging by the ones who are most vocal, and keep pushing idiocy on us.)
With respect, the rest of your post is a sidetrack imo; you imply it's only "technical difficulties with drivers" (and source availability) that have stopped people using "seats" effectively, but as you've just agreed, even the company providing the hardware (who clearly have no such issue) moved away from Poeterring's deluded "vision" of "multiseat technology" and back to the standard X thin-client model.
QED.
The post was interesting, but ultimately only agreed with the analysis I gave above, before I followed the links given to do some basic checking.
In a nutshell, splitting the GUI side is a dumb idea. This could easily have been thought-through upfront, instead of wasting so many admins' time with ill-conceived and badly-designed "technology".
If nothing else, just by listening to some of the people who initially respond as to why and how it's a bad idea, instead of persecuting them as "haters" for informed opinion. [1]
--
[1] like: "seats are nothing more than a rebadging of the X display, so let's talk in terms of the display instead." [2]
or: "end-user devices are only getting cheaper, and more capable; why do we need to share them?" (in essence: "what are you really trying to do?")
If you think there's some frustration here, then you are spot on: the frustration is that we never get to move on to the more interesting discussion, because of the political muddying of the waters (and the associated "messages" that keep repeating themselves.)
As such, these types of campaigns are a drain of headspace, which is precisely the point of them: just like Microsoft before them, RedHat is well-aware that "developer mindshare" is a critical factor. And just like with Microsoft, ultimately it's users who lose out from the restricted playing-field.
RedHat is giving the voluntary contributors enough bathwater to argue about, while their baby is spirited out the door.
[2] I'm not saying that I am particularly well-informed; there are many better examples, which I keep giving (like LAD, kernel-networking, etc.)
I am just fed up of having to repeat myself to address the same "message" and its associated illogic, while no-one seems to take any interest in the real discussion (on how we put together capable desktops without sacrificing every software-engineering principle and basic good practice along the way.)
Gentoo users are better than that. |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Sat Sep 09, 2017 8:33 pm Post subject: |
|
|
steveL wrote: | just like Microsoft before them, RedHat is well-aware that "developer mindshare" is a critical factor. |
Queue the image of LP jumping around on stage, shouting, "Developers! Developers! Developers! Developers!" _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|