Re: RFC: inetd httpd-facility for dwww/dhelp
Jim Pick writes:
> Personally, I'd like to see a new web server policy. For example, I'd
> like to see all webservers we supply configured for localhost access
> only - leave it to the end user to add on virtual hosts or change the
> security settings. Perhaps we could have an automated tool (debconf?)
> for setting up external webservers.
I agree with the idea that packages, upon inital installation, are
configured for the maximum possible security settings. If one is
going to run a web server, one is going to have to dig through the
config files anyways. Why not make life a bit harder for the script
kiddies?
Or perhaps this could be a debconf global setting: "paranoia level".
If you set it to high, the default /etc/init.d/network would contain
a rule to drop all incoming TCP SYN except on a few special
ports, and all installed packages would only provide service to
localhost, etc...
Something to think about. Debconf is cool.
--
Colin Walters <levanti@verbum.org>
http://web.verbum.org/levanti
(1024D/C207843A) A580 5AA1 0887 2032 7EFB 19F4 9776 6282 C207 843A
Reply to: