On Mon, May 06, 2013 at 04:08:07PM +0200, Christoph Anton Mitterer wrote: > 1) IMHO, services/daemons (e.g. apache, ejabberd, etc.) that listen per > default on the network (unless loopback only) shouldn't be started per > default, after being installed. > The usually come only with a default config which may not be hardened > enough for the local system, and that short time may already be enough > for an attacker to attack. > > Or default config may be simply pointless for the environment, and > starting the service per default is just annoying. > It shouldn't be to hard for an admin to configure the appropriate > runlevels when he thinks he's finished with configuration. > > One could handle this different for local only services/daemons. E.g. > when I install haveged, I usually want it... and there shouldn't be a > security impact when it immediately runs after being installed. There is also a related thing that was discussed in the past: stop disabling services via /etc/default. -- WBR, wRAR
Attachment:
signature.asc
Description: Digital signature