On 01-01-03 Michael Bramer wrote:
> On Wed, Jan 03, 2001 at 10:15:43AM +0200, era eriksson wrote:
> > The stock base system comes with various "traditional security holes"
> > enabled. It would be nice (and probably very constructive) to have a
> > brief and simple procedure for how to reconfigure the system so as to
> > run a reasonably tight ship.
> >
> > Off the top of my head, I can think of the following:
> >
> > * Disable telnet; go with ssh instead (but then which ssh?)
> apt-get remove telnetd
Well, why do we have telnet enabled after installation? This is a bit
security hole and I think this service should be disabled and only be
enabled by the admin.
> > * Recommend disabling any non-critical network services entirely
> apt-get remove NETWORK_PACKAGE
> (rwhod, rsh-server, ...)
> If you don't know the package name, use:
> dpkg -S /usr/sbin/server
Hm, there are services in /etc/inetd.conf that are not belonging to any
package like daytime, echo and this should be disabled by default.
> > * chroot and otherwise patch up everything that can't be turned off
> I can deinstall all network packages without problems
Well, deinstalling a software or chrooting is a big difference.
> > * Recommend replacing Sendmail with Postfix (or whatever)?
> IMHO sendmail is not the default mail server. It is exim. But only
> write:
> apt-get install postfix
> and you have postfix on your system...
But exim is already a better MTA choice then sendmail.
> > * Recommend replacing regular ftp server with something more robust
> type
> apt-get install MORE-ROBUST-FTP-SERVER
> and you get it..
Agreed.
> apt-get is a nice package tool, use it. :-)
Well, but there are things that you can't solve with apt-get and not
everything should be solved by the usage of apt-get.
Ciao
Christian
--
Debian Developer and Quality Assurance Team Member
1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853
Attachment:
pgpYwAIOn0K4e.pgp
Description: PGP signature