Re: RFC: inetd httpd-facility for dwww/dhelp

To: Jim Pick <jim@jimpick.com>
Cc: debian-devel@lists.debian.org
Subject: Re: RFC: inetd httpd-facility for dwww/dhelp
From: Colin Walters <levanti@verbum.org>
Date: Sat, 6 Nov 1999 14:30:59 -0500 (EST)
Message-id: <14372.33267.830907.9322@meta.verbum.org>
In-reply-to: <87hfizy2a1.fsf@pepper.jimpick.com>
References: <19991106204958.A12786@lathspell> <87hfizy2a1.fsf@pepper.jimpick.com>

Jim Pick writes:
 > Personally, I'd like to see a new web server policy.  For example, I'd
 > like to see all webservers we supply configured for localhost access
 > only - leave it to the end user to add on virtual hosts or change the
 > security settings.  Perhaps we could have an automated tool (debconf?)
 > for setting up external webservers.

I agree with the idea that packages, upon inital installation, are
configured for the maximum possible security settings.  If one is
going to run a web server, one is going to have to dig through the
config files anyways.  Why not make life a bit harder for the script
kiddies?

Or perhaps this could be a debconf global setting: "paranoia level".
If you set it to high, the default /etc/init.d/network would contain
a rule to drop all incoming TCP SYN except on a few special
ports, and all installed packages would only provide service to
localhost, etc...

Something to think about.  Debconf is cool.

-- 
Colin Walters <levanti@verbum.org>
http://web.verbum.org/levanti
(1024D/C207843A) A580 5AA1 0887 2032 7EFB  19F4 9776 6282 C207 843A

Reply to:

References:
- RFC: inetd httpd-facility for dwww/dhelp
  - From: Christian Hammers <ch@lathspell.westend.com>
- Re: RFC: inetd httpd-facility for dwww/dhelp
  - From: Jim Pick <jim@jimpick.com>

Prev by Date: Re: Release-critical Bugreport for November 5, 1999
Next by Date: Re: Release-critical Bugreport for November 5, 1999
Previous by thread: Re: RFC: inetd httpd-facility for dwww/dhelp
Next by thread: Admnistrativa and security
Index(es):
- Date
- Thread