[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Wed, Apr 18, 2001 at 01:55:51PM -0700, Adam McKenna wrote:
> On Wed, Apr 18, 2001 at 09:35:06PM +0200, Nils Jeppe wrote:
> > On Wed, 18 Apr 2001, Adam McKenna wrote:
> > 
> > > Oh, come on now.  Anyone who's serious about security is not using name-based
> > > access lists.  For that matter, anyone who's serious about security is not
> > > relying on TCP wrappers for it, because it's been shown over and over again
> > > that TCP wrappers "security" can be easily defeated.  See Dan Bernstein's
> > > posts to Bugtraq regarding this issue.
> > 
> > I KNOW. But not everybody who runs Debian is serious enough about
> > security. Why soften the defaults?
> That's the point.  This _DOES_NOT_ increase security.  Anyone who believes it

Yes, it _DOES_ increase security.  It's another hoop to jump through.  Just like
getting physical access to the machine is a hoop to jump through.  Security 
is not about putting up only impenatrable walls and leaving everything else wide
open.  It's about doing what you can to each potential hole.

> does is suffering from delusions.  All it does is make life harder on
> sysadmins, who, if they don't know this is enabled, may spend hours chasing
> down this problem.

Does Debian have a policy somewhere regarding the "out of the box" security 
targets?  Can "secure by default" or "hackers heaven" be put up on a vote?

Personally I would like to see items like ALL: PARANOID left on, and more 
services turned off by default.  I think the system should be as secure as 
possible so a desktop user could configure their desktop and not have to 
worry about learning about the cryptic underlying configuration options.

The user should only have to learn the security implications of a service or
option if they intend to turn it on.  The install itself should assume the
user doesn't know about the option and would prefer to be protected.


Reply to: