[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: assimilating OpenBSD

On Tue, Feb 06, 2001 at 03:59:28PM -0800, Erik Hollensbe wrote:
> 	I've made this point before, but debian comes installed with 3 very 
> unneeded services installed by default:
> 	1) portmap
> 	2) mountd
> 	3) lpd
> 	These are well known security holes on any unix machine. If you want

s/These are/Some versions of these programs are/

> debian secure 'out of hte box' then this stuff has to go. I think     
> rpc.statd is running as well. The whole RPC/NFS suite needs to go for 
> default installs.                                                     

portmap is not a security problem in debian by default because it
does not accept connections from anywhere except localhost until you
configure it to do so. you have to specifically allow connections from
particular IP addresses (not hostnames) in /etc/hosts.allow.

see /usr/share/doc/portmap/portmapper.txt.gz from the portmap package for

mountd and rpc.statd, being rpc services, are also protected by the
default portmap hosts.allow rules.

lpr is a potential problem. don't install it if you don't want it. or
install lprng or something else instead.

> > I will agree with you if you say "the debian (and in fact GNU/Linux)
> > core has not been audited to the same degree that OpenBSD has".  I
> > would suggest, though, that the "right" solution is to form an audit
> > team to perform this audit ... that makes all of debian better and
> > improves GNU/Linux as well.
> I'd like to see a group fo people stand up, but I would honestly have
> a hard time believing that a security audit team that's as skilled as
> the OpenBSD guys would be able to form and stay on task.

if you want to run OpenBSD then run it.

if you want Debian to become as secure as OpenBSD then help with the
auditing. since OpenBSD don't bother to announce their fixes to anyone
and are highly resistant to any suggestion that it would be a good idea
to do so (instead, they seem to prefer smugly saying "we knew about that
months/years ago"), auditing the gnu/linux tools is the only way that's
going to happen.

> Plus, there are TONS of GNU software tools, even more if you include
> GPL'd tools in debian. OpenBSD wins it's claims by keeping the
> distribution light from default install... which is why it's best
> geared towards a firewall.

you don't have to install every package that debian makes available, you
know. you don't even have to install all of the "Standard" packages.

i build most of my servers (and gateway/firewall boxes) by installing
just the base system and the apt-get installing only the handful of
packages that that particular machine needs.

apart from the auditing that OpenBSD has had and continues to have,
where's the difference? so we're back to the point that auditing the gnu
tools is important and worthwhile.

the whole notion of secure "out of the box" is flawed, anyway. sure, it
helps to have a good base system...but accepting the claim at face-value
can lead to a false sense of security and laziness on the part of the
system administrator. security's a process, not a tool. there's no magic
black box which will make a system or network secure if the sysadmin
doesn't take an active and *informed* role in security procedures.

this means taking the time to figure out and implement a security
policy, including being ruthless with my hosts.allow and hosts.deny
rules, and ipchains packet filtering, etc.

even the most secure base system in the world can be compromised by
an incompetent system admin, or by one who blithely assumes that it's
secure because the blurb said it was...but i repeat myself here.


craig sanders <cas@taz.net.au>

      GnuPG Key: 1024D/CD5626F0 
Key fingerprint: 9674 7EE2 4AC6 F5EF 3C57  52C3 EC32 6810 CD56 26F0

Reply to: