On 01-01-03 Michael Bramer wrote: > On Wed, Jan 03, 2001 at 10:15:43AM +0200, era eriksson wrote: > > The stock base system comes with various "traditional security holes" > > enabled. It would be nice (and probably very constructive) to have a > > brief and simple procedure for how to reconfigure the system so as to > > run a reasonably tight ship. > > > > Off the top of my head, I can think of the following: > > > > * Disable telnet; go with ssh instead (but then which ssh?) > apt-get remove telnetd Well, why do we have telnet enabled after installation? This is a bit security hole and I think this service should be disabled and only be enabled by the admin. > > * Recommend disabling any non-critical network services entirely > apt-get remove NETWORK_PACKAGE > (rwhod, rsh-server, ...) > If you don't know the package name, use: > dpkg -S /usr/sbin/server Hm, there are services in /etc/inetd.conf that are not belonging to any package like daytime, echo and this should be disabled by default. > > * chroot and otherwise patch up everything that can't be turned off > I can deinstall all network packages without problems Well, deinstalling a software or chrooting is a big difference. > > * Recommend replacing Sendmail with Postfix (or whatever)? > IMHO sendmail is not the default mail server. It is exim. But only > write: > apt-get install postfix > and you have postfix on your system... But exim is already a better MTA choice then sendmail. > > * Recommend replacing regular ftp server with something more robust > type > apt-get install MORE-ROBUST-FTP-SERVER > and you get it.. Agreed. > apt-get is a nice package tool, use it. :-) Well, but there are things that you can't solve with apt-get and not everything should be solved by the usage of apt-get. Ciao Christian -- Debian Developer and Quality Assurance Team Member 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853
Attachment:
pgpYwAIOn0K4e.pgp
Description: PGP signature