Re: assimilating OpenBSD

To: Debian Development <debian-devel@lists.debian.org>
Subject: Re: assimilating OpenBSD
From: Michael Stone <mstone@debian.org>
Date: Wed, 7 Feb 2001 07:49:00 -0500
Message-id: <[🔎] 20010207074900.H16502@justice.loyola.edu>
Mail-followup-to: Debian Development <debian-devel@lists.debian.org>
In-reply-to: <[🔎] 20010207132357.Q19551@taz.net.au>; from cas@taz.net.au on Wed, Feb 07, 2001 at 01:23:57PM +1100
References: <[🔎] 20010206200612.A8594@sigrid.schuldei.com> <[🔎] Pine.NEB.4.33.0102062015250.8166-100000@tethys.fachschaften.tu-muenchen.de> <[🔎] 20010206203123.A8769@sigrid.schuldei.com> <[🔎] 20010207083239.A9350@silly.cloud.net.au> <20010206230650.A9315@sigrid.schuldei. <[🔎] 20010206230650.A9315@sigrid.schuldei.com> <[🔎] 20010206161235.C21150@micromuse.com> <[🔎] 20010206155928.A44492@scatha.internet.powells.com> <[🔎] 20010207132357.Q19551@taz.net.au>

On Wed, Feb 07, 2001 at 01:23:57PM +1100, Craig Sanders wrote:
> portmap is not a security problem in debian by default because it
> does not accept connections from anywhere except localhost until you
> configure it to do so. you have to specifically allow connections from
> particular IP addresses (not hostnames) in /etc/hosts.allow.

Hmm. I've never seen the default hosts.deny block the whole world from
connecting to portmap. Are you sure you didn't add such a line yourself?

> mountd and rpc.statd, being rpc services, are also protected by the
> default portmap hosts.allow rules.

Bzzt. An attacker can't use portmap to identify what port they're
listening on, but can still do a full port scan and take a wild guess
(which isn't usually all that wild.) rpc.mountd has its own line in
hosts.allow, but I don't think that's true for statd.

> lpr is a potential problem. don't install it if you don't want it. or
> install lprng or something else instead.

History has shown lprng to have its own problems. If you're doing
network printing I recommend rlpr--just remove that damned suid bit. :)

> the whole notion of secure "out of the box" is flawed, anyway. sure, it
> helps to have a good base system...but accepting the claim at face-value
> can lead to a false sense of security and laziness on the part of the

And claiming that the concept of security out of the box is flawed is a
sign of laziness on the part of those (us) who could do better but do
not.

-- 
Mike Stone

Reply to:

Follow-Ups:
- Re: assimilating OpenBSD
  - From: Ethan Benson <erbenson@alaska.net>
- Re: assimilating OpenBSD
  - From: Craig Sanders <cas@taz.net.au>

References:
- assimilating OpenBSD
  - From: Andreas Schuldei <andreas@schuldei.org>
- Re: assimilating OpenBSD
  - From: Adrian Bunk <bunk@fs.tum.de>
- Re: assimilating OpenBSD
  - From: Andreas Schuldei <andreas@schuldei.org>
- Re: assimilating OpenBSD
  - From: Hamish Moffatt <hamish@debian.org>
- Re: assimilating OpenBSD
  - From: Andreas Schuldei <andreas@schuldei.org>
- Re: assimilating OpenBSD
  - From: Nathan E Norman <nnorman@micromuse.com>
- Re: assimilating OpenBSD
  - From: Erik Hollensbe <erik@powells.com>
- Re: assimilating OpenBSD
  - From: Craig Sanders <cas@taz.net.au>

Prev by Date: Re: in what status is Debian/Hurd?
Next by Date: Re: assimilating OpenBSD
Previous by thread: Re: assimilating OpenBSD
Next by thread: Re: assimilating OpenBSD
Index(es):
- Date
- Thread