[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default



On Wed, Apr 18, 2001 at 08:47:42PM -0700, John H. Robinson, IV wrote:
> On Thu, Apr 19, 2001 at 03:33:23AM +0200, Eloi Granado wrote:
> > On Thursday 19 April 2001 01:57, Nathan Dabney wrote:
> > > For those of you who do not like PARANOID, what would you suggest without
> > > reducing the protection?  Does ALL: ALL with some commentary explaining
> > > where the user can go for more information sound good?
> > 
> > Well, and some blinking message lines at boot time warning the new user that 
> > his machine is blocking all possible networking, absolutely ISOLATED? What 
> > about to remove all networking support by default? So the user will have to 
> > learn ALL networking risks before connecting/accepting connections from 
> > anywhere (oh yes, he will learn a lot in the way).
> 
> not all services are tcpwrapped.  as a matter of fact, exactly TWO types
> of services are tcpwrapped:
>       * those spawned from inetd, that explicitly have tcpd in their
>         invocation
>       * those compiled with libwrap
> 
> not all services suffer as such. so to say a system with ALL:ALL in
> hosts.deny (i hate that file. it should go away. replaced with
> echo ALL:ALL:DENY >> /etc/hosts.allow) disallows ALL networking is
> false. the suggestion to have localhost and localnet in hosts.allow, and
> all:all:deny in hosts.allow is a very good one.

I disagree.

We cannot expect the user to want to accept connections from the local net.  I
do agree however that localhost needs to be there ;)

> 
> SECURE by default. open up by a positive action.

Exactly.  I completely agree with this statement.

> have we not learned the mistakes of red hat? are we doomed to repeat
> them? keep it CLOSED. force the user to make a conscious decision to
> open up their box.
> 
> > Be serious, what type of system do we want? One both for users and for 
> > servers, or a openbsd alike firewalling (user unfriendly) system?
> 
> i cannot speak for OpenBSD, as i have never used it (i can speak for
> BSDi and their broken tar, however).
> 
> what type of system do you want: susceptible for the next worm, or prepared to
> defend against the future onslaughts?
> 
> i want a system for users. this means keeping things off. users do not
> need lots of services running[1]. if they want to run services, then they
> are sysadmins, and mus be ready for that step. to do otherwise is to
> invite diaster, and be a disservice to the people we are trying to
> serve.
> 
> -john
> 
> [1] do they need any? does an MTA have to listen to an IP other than
>     loopback? really?
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
> 



Reply to: