[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Thu, Apr 19, 2001 at 03:58:48PM +0200, Miros/law `Jubal' Baran wrote:
> 19.04.2001 pisze PiotR (piotr@omega.resa.es):
> 
> > > This is starting to become an endless discussion with no real outcome.
> > > What Debian does by default should be what most admins do. I'm not going to
> >                                         ^^^^^^^^^^^^^^^^^^^^
> > You are wrong. Read the policy. Debian is not exclusively for admins.
> 
> When one has uid=0 on his own computer it means that this one *is* an
> admin. And it means that this one should *know* anything about system
> one is installing. Clueless admins are *not* problem of Debian project.

and thus, ALL:ALL:DENY should be the last entry in the /etc/hosts.allow

you can place a ALL:PARANOID:DENY up near the top, or down near the
bottom. that's fine by me.  if it annoys me, i add entries for systems
that are stuck behind broken isp's (hi, @Home!)

a USER again does not need mondo services running. an empty inetd.conf
is the best way. but some services require things like identd to be
running. (*sigh* when will they learn? you can never trust the
information another system gives you[1]..).

so the best thing to do is have ALL:ALL:DENY, and only allow what you
explicitly allow. i fully agree that PARANOID is not enough. that only
catches innocent victims, and people that will try other tricks to get
in anyway. ALL:ALL:DENY is the right measure.

if you want to accept mail, http[2], ftp[2], and ident requests, don't wrap
those services. i would agree to that measure. things like r*, telnet
and ssh should be wrapped, since those allow direct control of the
system.

-john

[1] this is before other authentications. you may trust the user, but
    the system can be lying to you.

[2] but if you run this service, you are out of the realm of simple end
    user. we will disregard the fact of the UID=0 account.

i am reminded that the secure computer is the one that is locked in a
vault, no network, no powersupply, and the hard drive melted to slag.
likewise, the secure service is the one that is not running. if after a
default debian install, an nmap returned with no open ports, i would be
so stoked!
Reply to: