[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#81118: base: Wishlist: High security base system (or separate add-on package)



On 01-01-03 Michael Bramer wrote:
> On Wed, Jan 03, 2001 at 10:15:43AM +0200, era eriksson wrote:
> > The stock base system comes with various "traditional security holes"
> > enabled. It would be nice (and probably very constructive) to have a
> > brief and simple procedure for how to reconfigure the system so as to
> > run a reasonably tight ship.
> > 
> > Off the top of my head, I can think of the following:
> > 
> >   * Disable telnet; go with ssh instead (but then which ssh?)

> apt-get remove telnetd

Well, why do we have telnet enabled after installation? This is a bit
security hole and I think this service should be disabled and only be
enabled by the admin.

> >   * Recommend disabling any non-critical network services entirely

> apt-get remove NETWORK_PACKAGE 
> (rwhod, rsh-server, ...)
> If you don't know the package name, use: 
> 	dpkg -S /usr/sbin/server

Hm, there are services in /etc/inetd.conf that are not belonging to any
package like daytime, echo and this should be disabled by default.
  
> >   * chroot and otherwise patch up everything that can't be turned off

> I can deinstall all network packages without problems

Well, deinstalling a software or chrooting is a big difference.

> >   * Recommend replacing Sendmail with Postfix (or whatever)?

> IMHO sendmail is not the default mail server. It is exim. But only
> write:
> 	apt-get install postfix
> and you have postfix on your system...

But exim is already a better MTA choice then sendmail.

> >   * Recommend replacing regular ftp server with something more robust

> type
> 	apt-get install MORE-ROBUST-FTP-SERVER
> and you get it..

Agreed.

> apt-get is a nice package tool, use it. :-)

Well, but there are things that you can't solve with apt-get and not
everything should be solved by the usage of apt-get.

Ciao
     Christian
-- 
          Debian Developer and Quality Assurance Team Member
    1024/26CC7853 31E6 A8CA 68FC 284F 7D16  63EC A9E6 67FF 26CC 7853

Attachment: pgpuwoIEylMk9.pgp
Description: PGP signature


Reply to: