Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
- To: debian-devel@lists.debian.org
- Subject: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
- From: Eloi Granado (kaneda) <kaneda@omega.resa.es>
- Date: Sat, 21 Apr 2001 05:51:17 +0200
- Message-id: <[🔎] 01042105511700.00497@lain>
- In-reply-to: <20010419083352.E15227@osdlab.org>
- References: <20010418091902.O12115@flounder.net> <20010418230610.H12115@flounder.net> <20010419083352.E15227@osdlab.org>
On Thursday 19 April 2001 17:33, Nathan Dabney wrote:
> How about we first ask the user upon install if they want to be able to
> accept outside connections at all.
>
> I think this thread could be solved by designing a few types of installs
> and giving defaults for host.deny and host.allow and other security points
> for each install scenario.
>
> Example:
> Basic Install - Workstation (no access)
> host.deny: ALL: ALL
>
> Basic Install - Workstation (some access)
> host.deny: ALL: PARANOID (or IPs)
>
> Basic Install - Server (some access)
> host.allow: ALL: ip list for accessible points
> host.deny: ALL: PARANOID (prompt user for preference)
>
> Expert Install - Asks user what they want, IP based or paranoid or none.
>
> We *need* a "secure by default" install option for people that may want to
> use it.
That seems really perfect to me. But I've read in this thread of possible
problems that removing ALL:PARANOID can lead (thanks Anthony Towns - among
others :)). What about warning the user of them so he will know the
"secondary effects" of such a trivial decission?
> What does everyone think of a /etc/security.policy file with a few security
> flags set upon install that packages can read during later installs or
> upgrades to see if they should be open or closed by default?
Great idea.
Reply to: