stripping secure servers (was Re: releases and stuff)

Bennett Todd bet at
Mon Nov 15 08:04:39 PST 2004

2004-11-15T14:23:09 Archaic:
> On Mon, Nov 15, 2004 at 12:46:48PM +0000, Bennett Todd wrote:
> > For some services, even /bin/sh is not necessary.
> Wow. Even I don't go that far, and most people consider me paranoid. ;)
> I might just have to look into this more. :)

As I said, Marcus Ranum has recommended this for years. A quick
google trawl didn't collect any matches for me, but I may not have
picked the best keywords. But his basic concept is building servers
the same way you build good firewalls.

A good firewall starts by blocking everything, then has specific
traffic flows enabled --- preferably through code paths that analyze
them in complete detail, i.e. application proxies --- when and only
as needed and justified by security policy. Bad firewalls come when
you start wide open then try to block things believed to be both
naughty and unnecessary.

Similarly, argues Marcus, a purpose-build security server can
achieve the highest levels of security if you start with nothing and
add only that which is actually required to [barely] deliver the
required service.

This is the opposite of the approach I've always taken and
recommended, simply hardening hosts by turning off network services
and carefully chosing implementations for those you must leave on.

I think mjr's approach is a _lot_ more palatable these days when
it's easy to have a laptop, or a normally-disconnected server, offer
PXE services to boot an initrd when you must perform surgery.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <>

More information about the hlfs-dev mailing list