Bug#81118: base: Wishlist: High security base system (or separate add-on package)
On Wed, 3 Jan 2001 10:58:37 +0100, Michael Bramer <grisu@debian.org>
wrote:
> On Wed, Jan 03, 2001 at 10:15:43AM +0200, era eriksson wrote:
>> The stock base system comes with various "traditional security holes"
>> enabled. It would be nice (and probably very constructive) to have a
>> brief and simple procedure for how to reconfigure the system so as to
>> run a reasonably tight ship.
> apt-get remove telnetd
> apt-get remove NETWORK_PACKAGE
> I can deinstall all network packages without problems
> apt-get install postfix
> apt-get install MORE-ROBUST-FTP-SERVER
> apt-get is a nice package tool, use it. :-)
I'm not saying I can't figure out how to fix these problems; I'm
saying it would be nice if somebody would create a documented and
standard process for doing this, and preferably ship it as an option
with the base system.
Personally, I'm only vaguely security-conscious, so my first problem
is to figure out what more I need to do in order to have a system
which is not trivial to break into. I feel that this information
should be collected and maintained in a place and form where it's
extremely easy to find and use.
I think I like the idea of using one of the available runlevels for
this. Create another runlevel which doesn't start up anything except
the bare essential services for running and administering a "dumb"
server, and update the installation instructions to recommend that you
use this as the base system if you plan to connect your machine to the
Internet.
Hope this can help clarify what I meant,
/* era */
--
.signature missing -- creating one on the fly. <http://www.iki.fi/era/>
Reply to: