Re: Task harden.
On Sun, Apr 01, 2001 at 10:26:08PM +0200, Ola Lundqvist wrote:
> I'm now packaging a task-harden package as I said in some other
> thread. To make this work fine I need some help:
> * What packages should be avoided.
sendmail, bind, r*, inetd, rpc*, most identd's (the spoofing ones are
okay - the idea is to give out as little info as possible), wu-ftpd, and
anything that is seen too often in BUGTRAQ. 
> * What packages should be installed.
tripwire? argus? snort?
(i am thinking intrusion detection here)
> And now some questions (that can be dicussed).
> * I intend to conflict with inetd. Do you think that is ok?
yes! there are good inetd's to replace it with (tcpserver, and xinetd
both come to mind)
> * I will recommend ssh but then this package have go to
> non-US, right? And will it work as a task package then?
no. crypto hooks do not force you into non-us. since a virtual package
does not even have hooks, it can stay out of non-us.
> Description: Helps you make the host less easy to crack.
less easy? i do not like that wording at all.
more difficult, more resistant, less susceptible, those are fine
(on a side note, i prefer the term ``spider'' over ``cracker'', jargon
file be damned)
 my theory is: if a large number of security violations have been
found, chances are, more are still lurking. a complete re-write does
get to wipe the slate clean, but i still don't trust BIND and no one
is ever going to convince me otherwise. same with sendmail
 i have not too much familiarity with xinetd to actually recomend it,
but i would rather use that that inetd
 yes, some of the things i listed are non-free. i can't help that :(