[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny Should be Commented by default

On Thursday 19 April 2001 17:33, Nathan Dabney wrote:
> How about we first ask the user upon install if they want to be able to
> accept outside connections at all.
> I think this thread could be solved by designing a few types of installs
> and giving defaults for host.deny and host.allow and other security points
> for each install scenario.
> Example:
> 	Basic Install - Workstation (no access)
> 		host.deny: ALL: ALL
> 	Basic Install - Workstation (some access)
> 		host.deny: ALL: PARANOID (or IPs)
> 	Basic Install - Server (some access)
> 		host.allow: ALL: ip list for accessible points
> 		host.deny: ALL: PARANOID (prompt user for preference)
> 	Expert Install - Asks user what they want, IP based or paranoid or none.
> We *need* a "secure by default" install option for people that may want to
> use it.

That seems really perfect to me. But I've read in this thread of possible 
problems that removing ALL:PARANOID can lead (thanks Anthony Towns - among 
others :)). What about warning the user of them so he will know the 
"secondary effects" of such a trivial decission?

> What does everyone think of a /etc/security.policy file with a few security
> flags set upon install that packages can read during later installs or
> upgrades to see if they should be open or closed by default?

Great idea.

Reply to: