Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Just have sane firewall rules and you are good. E.g. if I install openssh-server and it auto starts, it doesn't make it out of my machine because my nftables does not allow inbound on port 22. It's just knowing the default behaviour and adjusting your practices for it.


That is a workaround for a ridiculous issue.


A sane firewall won't protect you from privilege escalation from a local attacker. While unlikely, this is one more breach that could be exploited.


Debian bundles AppArmor profiles for most services. This will prevent an attacker from accessing outside the perimeter drawn by the AppArmor profile.


This is the "you're holding it wrong" response to a clear design issue.


Aren't firewall rules part of the "configuration" the OP talked about?


No, because you can install and configure the firewall before you install package X. (without knowing anything about X, your firewall defaults can just prevent X from doing anything)

But you can't (easily) configure package X itself before you install it; and after you install it, it runs immediately so you only get to configure it after the first run.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: