Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Wed, Apr 18, 2001 at 11:06:10PM -0700, Adam McKenna wrote:
> On Wed, Apr 18, 2001 at 04:57:50PM -0700, Nathan Dabney wrote:
> > I am sorry, I didn't mean to compare them in seriousness, I was thinking more
> > along the lines of "having it secure by default is better than installing
> > a hackable system on purpose."
> Yes, but that's assuming that PARANOID makes things more secure. PARANOID
> can only be as secure as the DNS records it relies on, which is why it should
> be eliminated.
I don't have a problem with it being taken out, as long as something better
replaces it. Just removing it would bother me.
> > I am a firm believer in the idea that we should aim for secure by default when
> > making decisions like this. Do you agree?
> > For those of you who do not like PARANOID, what would you suggest without
> > reducing the protection? Does ALL: ALL with some commentary explaining where
> > the user can go for more information sound good?
> No. We should ask the user during installation what networks he wants to
> allow access from, and force him to enter IP addresses/CIDR blocks.
How about we first ask the user upon install if they want to be able to accept
outside connections at all.
I think this thread could be solved by designing a few types of installs and
giving defaults for host.deny and host.allow and other security points for each
Basic Install - Workstation (no access)
host.deny: ALL: ALL
Basic Install - Workstation (some access)
host.deny: ALL: PARANOID (or IPs)
Basic Install - Server (some access)
host.allow: ALL: ip list for accessible points
host.deny: ALL: PARANOID (prompt user for preference)
Expert Install - Asks user what they want, IP based or paranoid or none.
We *need* a "secure by default" install option for people that may want to use
What does everyone think of a /etc/security.policy file with a few security
flags set upon install that packages can read during later installs or
upgrades to see if they should be open or closed by default?
Senior System Administrator
Open Source Development Lab
-=- Debian: 2.2.19 - Total of 8 processors activated (11190.27 BogoMIPS) -=-