Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Thu, Apr 19, 2001 at 11:51:28PM +1000, Daniel Stone wrote:
> If you want security, you run a stateful firewall (think: iptables) with -P
> DROP, only a few explicit ports let through, only to the lucky few, no
> telnet, etc. But does this *look* like Trustix? Nope. Not DeadRat, either,
> but not Trustix. Debian has end-users, a lot of whom won't bother to set up
> firewalls, because it's only a home box, and we can't force them to. But
> setting up sane tcpwrappers defaults will go a LONG WAY. (Also see what I've
> written below).
No, sorry. Every box connected to the internet does not need a stateful
firewall in front of it. This is an idea that has been propagated by the
clueless "security admin" world in order to sell more Checkpoint licenses.
A web server box running Apache and SSH (only) can be adequately protected by
tcp wrappers if they're configured correctly. (IE, using IP-based access
rules.)
As far as "sane" defaults, PARANOID is not one. It provides no extra
security.
--Adam
--
Adam McKenna <adam@debian.org> <adam@flounder.net>
Reply to: