Perl and TCP port security

zentara has asked for the wisdom of the Perl Monks concerning the following question:

I was looking at this port-knocking for security and it got me thinking about leaving a perlscript listening on an open port.

The article states

"The "standard" method of running the SSH server on port 22 is notoriously inadequate. OpenSSH, which is the SSH server on the majority of Linux installations, suffers from regular exploits of buffer overflow and other vulnerabilities, and you neither have the time to keep up with the patches nor want to make the effort -- you'd rather put up with not being able to access your files."

So I like using Net::EasyTCP which has a port password , and encrypted transfers, and I'm wondering how safe these type of perl scripts are? I know one of Perl's claims is "immunity from buffer-overflow-exploits", but are perl scripts really that safe from this type of attack?

I realize you can't stop a "denial of service" attack against the port, and the perl script could be written is a poor manner, which allows hackers to grab a shell. But other than that, is Perl more secure than SSH, while it's just sitting on a port listening?

I'm not really a human, but I play one on earth. flash japh

Comment on Perl and TCP port security

Replies are listed 'Best First'.
Re: Perl and TCP port security by hardburn (Abbot) on Aug 11, 2004 at 13:03 UTC
The "you neither have the time to keep up with the patches nor want to make the effort" bit smells like FUD to me. While SSH has had its share of problems, it really isn't that hard to keep most GNU/Linux distros up to date. For me, it's either "apt-get update; apt-get dist-upgrade" or "emerge sync; emerge world". It really isn't a big deal. Perl programs are almost entirely immune to buffer overflows. If you access an array element outside the normal bounds, Perl automatically grabs more memory and builds the array. The Java approach (throw an exception and die) is just as effective for preventing buffer overflows (the other benefits of one approach or the other can be debated endlessly). If there is a buffer overflow in either Perl or Java, it will be in the underlieing implementation. Further, that overflow may or may not be exploitable from any given program. This highlights a good point about C: it's a great language for what it was orginally designed for (writing operating systems). It isn't such a great language for general applications. "There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.	[reply]
Re: Perl and TCP port security by Fletch (Bishop) on Aug 11, 2004 at 12:54 UTC
I wouldn't say OpenSSH suffers from "regular" exploits (granted there was a spate of several back near the end of last year / beginning of this year). None the less, if you're running with priviledge separation enabled (which makes the network side handled by an unpriveledged user in a chroot'd jail; it's been in there since around version 3.4 I think) there's probably very little risk of them being able to compromise the box (not to say a DOS isn't possible). If you're really paranoid you'd probably be better served by filtering from whom you'll accept TCP traffic to port 22.	[reply]
Re: Perl and TCP port security by dave_the_m (Monsignor) on Aug 11, 2004 at 12:56 UTC
Generally Perl is a lot more secure than a C program. Although it can't be guaranteed free from buffer overruns, they are very rare and would be very hard to exploit. Make sure that the program runs with taint checks enabled. Of course, there's nothing stopping an idiot writing a bit of insecure Perl code. Dave.	[reply]
Re^2: Perl and TCP port security by beable (Friar) on Aug 11, 2004 at 23:10 UTC
Generally Perl is a lot more secure than a C program. But wait! Perl is a C program!	[reply]
Re^3: Perl and TCP port security by graff (Chancellor) on Aug 12, 2004 at 02:11 UTC
LOL!! :D But seriously folks... I think the intended meaning of that passage is: "Generally (any) Perl (script) that you write yourself is a lot more secure than a C program that you write yourself. The point being, of course, that the implementation of the Perl interpreter in C is molded/guided/governed/guarded by an elite team of uber-coders who answer (promptly and directly) to a large community of very meticulous programmers.	[reply]
Re: Perl and TCP port security by sgifford (Prior) on Aug 11, 2004 at 19:37 UTC
In general it's much easier to write secure Perl code than secure C code. If your code is carefully written and uses taint mode, and the modules you're using are carefully written pure Perl, I would guess your system is less likely to contain an exploitable buffer overflow than OpenSSH. Still, it would be very easy to get the encryption wrong or make other mistakes that would open up your system to security problems; an advantage of OpenSSH is that many many many people have inspected and anlyzed the code.	[reply]