Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

To: debian-devel@lists.debian.org
Subject: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
From: Adam McKenna <adam@debian.org>
Date: Thu, 19 Apr 2001 10:32:26 -0700
Message-id: <[🔎] 20010419103226.T12115@flounder.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 20010419235128.C31779@piro.kabuki.openfridge.net>; from daniel@kabuki.openfridge.net on Thu, Apr 19, 2001 at 11:51:28PM +1000
References: <[🔎] 20010418171100.B8620@omega.resa.es> <[🔎] 20010418172549.A17770@lin-gen.com> <[🔎] 20010418232523.J12115@flounder.net> <[🔎] 20010419072809.M24502@justice.loyola.edu> <[🔎] 20010419235128.C31779@piro.kabuki.openfridge.net>

On Thu, Apr 19, 2001 at 11:51:28PM +1000, Daniel Stone wrote:
> If you want security, you run a stateful firewall (think: iptables) with -P
> DROP, only a few explicit ports let through, only to the lucky few, no
> telnet, etc. But does this *look* like Trustix? Nope. Not DeadRat, either,
> but not Trustix. Debian has end-users, a lot of whom won't bother to set up
> firewalls, because it's only a home box, and we can't force them to. But
> setting up sane tcpwrappers defaults will go a LONG WAY. (Also see what I've
> written below).

No, sorry.  Every box connected to the internet does not need a stateful
firewall in front of it.  This is an idea that has been propagated by the
clueless "security admin" world in order to sell more Checkpoint licenses.

A web server box running Apache and SSH (only) can be adequately protected by 
tcp wrappers if they're configured correctly.  (IE, using IP-based access 
rules.)

As far as "sane" defaults, PARANOID is not one.  It provides no extra
security.

--Adam

-- 
Adam McKenna  <adam@debian.org>  <adam@flounder.net>

Reply to:

Follow-Ups:
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Daniel Stone <daniel@kabuki.openfridge.net>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Sam Couter <sam@topic.com.au>

References:
- ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: PiotR <piotr@omega.resa.es>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Robert van der Meulen <rvdm@cistron.nl>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Adam McKenna <adam@debian.org>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Michael Stone <mstone@debian.org>
- Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
  - From: Daniel Stone <daniel@kabuki.openfridge.net>

Prev by Date: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
Next by Date: Re: Followup: Syslog
Previous by thread: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
Next by thread: Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
Index(es):
- Date
- Thread