[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Thu, Apr 19, 2001 at 10:32:26AM -0700, Adam McKenna wrote:
> On Thu, Apr 19, 2001 at 11:51:28PM +1000, Daniel Stone wrote:
> > If you want security, you run a stateful firewall (think: iptables) with -P
> > DROP, only a few explicit ports let through, only to the lucky few, no
> > telnet, etc. But does this *look* like Trustix? Nope. Not DeadRat, either,
> > but not Trustix. Debian has end-users, a lot of whom won't bother to set up
> > firewalls, because it's only a home box, and we can't force them to. But
> > setting up sane tcpwrappers defaults will go a LONG WAY. (Also see what I've
> > written below).
> 
> No, sorry.  Every box connected to the internet does not need a stateful
> firewall in front of it.  This is an idea that has been propagated by the
> clueless "security admin" world in order to sell more Checkpoint licenses.

Which part of "If you want security" were you selectively blind to?

If you want REAL security, stop bullshitting yourself and get a firewall,
preferably stateful (btw, netfilter is stateful, I have never bought a FW-1
license in my life, and probably never will). What I was saying was this:
* ALL: PARANOID is a sane default.
* It's not security unless it's a lower layer.
* A stateful firewall is a good upper layer.
* But Debian isn't so security-focussed that we need to setup a stateful
firewall on install.
 
> A web server box running Apache and SSH (only) can be adequately protected by 
> tcp wrappers if they're configured correctly.  (IE, using IP-based access 
> rules.)
> 
> As far as "sane" defaults, PARANOID is not one.  It provides no extra
> security.

It provides extra security as a layer. If you just do IP-based access to
your box (i.e. only certain IPs allowed), you don't NEED this. But think
about the other 99% of people. Like myself. It's a good extra layer. I like
this extra layer.

ALL: PARANOID clearly doesn't apply to these systems where ONLY certain
*explicitly specified* IPs can access it. So stop dragging them into the
argument and get back to making real points.

-- 
Daniel Stone
Linux Kernel Developer
daniel@kabuki.openfridge.net

-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
G!>CS d s++:- a---- C++ ULS++++$>B P---- L+++>++++ E+(joe)>+++ W++ N->++ !o
K? w++(--) O---- M- V-- PS+++ PE- Y PGP>++ t--- 5-- X- R- tv-(!) b+++ DI+++ 
D+ G e->++ h!(+) r+(%) y? UF++
------END GEEK CODE BLOCK------
Reply to: