Blacklist uncommon network protocols

Patrick · July 11, 2019, 6:09pm

Merged, thanks!

Patrick · August 19, 2019, 12:06pm

Patrick · August 19, 2019, 12:48pm

Merged.

madaidan · August 26, 2019, 10:52pm

I think it would be a good idea to blacklist network file systems such as NFS and SMB as well. These can be blacklisted with

install nfs /bin/true
install cifs /bin/true

SMB has had plenty of security vulnerabilities in the past and was one of the main ways the WannaCry ransomware was spread.

HulaHoop · August 27, 2019, 8:01am

I don’t mind becuase I don’t use either myself but in the case of nfs it is the only protocol for sharing files from the guest with a Linux host in event of running MS Windows for compatibility reasons.

Patrick · August 27, 2019, 8:17am

Would only have been exploitable for users who choose to use these protocols? Or was there a security risk for users who have nothing to do with these protocols?

Concern: I don’t think we should blacklist protocols which cannot be abused to autoload that only make it more difficult for users who choose to use these.

madaidan · August 27, 2019, 4:34pm

If you have the software installed to use them, you’ll likely be at risk.

I’m not sure if it would be possible to exploit these without the needed packages installed (e.g. the samba package in the Debian repos).

Patrick · August 27, 2019, 5:22pm

In such cases we need to tap into external knowledge by asking elsewhere. Just making things more difficult without knowing if there’s a point seems wrong.

Patrick · September 7, 2019, 5:48am

madaidan · September 7, 2019, 3:44pm

Wouldn’t that spam whatever is getting the notification with pointless errors?

Patrick · September 9, 2019, 9:08am

Better to fail and see an error message. Even if spamming. In theory. We don’t know if it’s spamming or any error message at all. /bin/false only increases chances that there will be a visible error message. Not so good to fail and not see any error message.