Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Wed, Apr 18, 2001 at 01:55:51PM -0700, Adam McKenna wrote:
> On Wed, Apr 18, 2001 at 09:35:06PM +0200, Nils Jeppe wrote:
> > On Wed, 18 Apr 2001, Adam McKenna wrote:
> > > Oh, come on now. Anyone who's serious about security is not using name-based
> > > access lists. For that matter, anyone who's serious about security is not
> > > relying on TCP wrappers for it, because it's been shown over and over again
> > > that TCP wrappers "security" can be easily defeated. See Dan Bernstein's
> > > posts to Bugtraq regarding this issue.
> > I KNOW. But not everybody who runs Debian is serious enough about
> > security. Why soften the defaults?
> That's the point. This _DOES_NOT_ increase security. Anyone who believes it
Yes, it _DOES_ increase security. It's another hoop to jump through. Just like
getting physical access to the machine is a hoop to jump through. Security
is not about putting up only impenatrable walls and leaving everything else wide
open. It's about doing what you can to each potential hole.
> does is suffering from delusions. All it does is make life harder on
> sysadmins, who, if they don't know this is enabled, may spend hours chasing
> down this problem.
Does Debian have a policy somewhere regarding the "out of the box" security
targets? Can "secure by default" or "hackers heaven" be put up on a vote?
Personally I would like to see items like ALL: PARANOID left on, and more
services turned off by default. I think the system should be as secure as
possible so a desktop user could configure their desktop and not have to
worry about learning about the cryptic underlying configuration options.
The user should only have to learn the security implications of a service or
option if they intend to turn it on. The install itself should assume the
user doesn't know about the option and would prefer to be protected.