Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default
On Thu, Apr 19, 2001 at 03:58:48PM +0200, Miros/law `Jubal' Baran wrote:
> 19.04.2001 pisze PiotR (firstname.lastname@example.org):
> > > This is starting to become an endless discussion with no real outcome.
> > > What Debian does by default should be what most admins do. I'm not going to
> > ^^^^^^^^^^^^^^^^^^^^
> > You are wrong. Read the policy. Debian is not exclusively for admins.
> When one has uid=0 on his own computer it means that this one *is* an
> admin. And it means that this one should *know* anything about system
> one is installing. Clueless admins are *not* problem of Debian project.
and thus, ALL:ALL:DENY should be the last entry in the /etc/hosts.allow
you can place a ALL:PARANOID:DENY up near the top, or down near the
bottom. that's fine by me. if it annoys me, i add entries for systems
that are stuck behind broken isp's (hi, @Home!)
a USER again does not need mondo services running. an empty inetd.conf
is the best way. but some services require things like identd to be
running. (*sigh* when will they learn? you can never trust the
information another system gives you..).
so the best thing to do is have ALL:ALL:DENY, and only allow what you
explicitly allow. i fully agree that PARANOID is not enough. that only
catches innocent victims, and people that will try other tricks to get
in anyway. ALL:ALL:DENY is the right measure.
if you want to accept mail, http, ftp, and ident requests, don't wrap
those services. i would agree to that measure. things like r*, telnet
and ssh should be wrapped, since those allow direct control of the
 this is before other authentications. you may trust the user, but
the system can be lying to you.
 but if you run this service, you are out of the realm of simple end
user. we will disregard the fact of the UID=0 account.
i am reminded that the secure computer is the one that is locked in a
vault, no network, no powersupply, and the hard drive melted to slag.
likewise, the secure service is the one that is not running. if after a
default debian install, an nmap returned with no open ports, i would be