[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Task harden.

On Sun, Apr 01, 2001 at 10:26:08PM +0200, Ola Lundqvist wrote:
> I'm now packaging a task-harden package as I said in some other
> thread. To make this work fine I need some help:

> * What packages should be avoided.
sendmail, bind, r*, inetd, rpc*, most identd's (the spoofing ones are
okay - the idea is to give out as little info as possible), wu-ftpd, and
anything that is seen too often in BUGTRAQ. [1]

> * What packages should be installed.
tripwire? argus? snort?
(i am thinking intrusion detection here)

> And now some questions (that can be dicussed).
> * I intend to conflict with inetd. Do you think that is ok?

yes! there are good inetd's to replace it with (tcpserver, and xinetd[2]
both come to mind)

> * I will recommend ssh but then this package have go to
>   non-US, right? And will it work as a task package then?

no. crypto hooks do not force you into non-us. since a virtual package
does not even have hooks, it can stay out of non-us.

> Description: Helps you make the host less easy to crack.
less easy? i do not like that wording at all. 
more difficult, more resistant, less susceptible,  those are fine
(on a side note, i prefer the term ``spider'' over ``cracker'', jargon
file be damned)


[1] my theory is: if a large number of security violations have been
    found, chances are, more are still lurking. a complete re-write does
    get to wipe the slate clean, but i still don't trust BIND and no one
    is ever going to convince me otherwise. same with sendmail

[2] i have not too much familiarity with xinetd to actually recomend it,
    but i would rather use that that inetd

[3] yes, some of the things i listed are non-free. i can't help that :(

Reply to: