[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Wed, Apr 18, 2001 at 04:48:41PM -0700, Adam McKenna wrote:
> On Wed, Apr 18, 2001 at 04:43:15PM -0700, Nathan Dabney wrote:
> > It doesn't have to be a big security win.  It's still a win.  It provides the 
> > additional security as opposed to shipping with the distro's pants down.
> It's not a win.  It provides _nothing_ except confusion for newbie sysadmins.
> If we're going to have a default, it might as well be something useful.

I disagree, it's a small win.  The reasons for which have already been covered
in this thread.  Just because the things it helps provide are not important to 
you doesn't mean nobody would like them.

> > It's not too aggressive.  Would you prefer we ship with ssh allowing root logins and a default of no password for root so users can us without having to 
> > understand what they are doing?
> There are many other, better ways to increase security than enabling paranoid
> host checks by default.  And most of them are just as easy.

Other yes, should we ignore this one, now.

I would prefer ALL: ALL in hosts.deny as a default.

> BTW, Implying that getting rid of these useless paranoid checks is tantamount 
> to leaving a box open with no root password is just ridiculous.

I am sorry, I didn't mean to compare them in seriousness, I was thinking more 
along the lines of "having it secure by default is better than installing
a hackable system on purpose."

I am a firm believer in the idea that we should aim for secure by default when
making decisions like this.  Do you agree?  

For those of you who do not like PARANOID, what would you suggest without
reducing the protection?  Does ALL: ALL with some commentary explaining where
the user can go for more information sound good?


Reply to: