RE: rlinetd security
Hello Noah
> -----Original Message-----
> From: Noah L. Meyerhans [mailto:frodo@morgul.net]
> Sent: Tuesday, June 19, 2001 7:59 AM
> To: Debian Security List
> Subject: Re: rlinetd security
[snip]
>
> I do care. I often disable inetd completely, if the server in question
> doesn't need any of what it offers.
[snip]
Interesting thought... I wonder if I can get away with that easily?
> I do think it's worth discussing whether the policy should be "on by
> default" of "off by default". Not just for the simple services, but for
> all services that get installed. Which option leaves more work to be
> done by the admin? In the current "on by default" state, you install a
> new system and go throught /etc/rc?.d/ and /etc/inetd.conf and turn off
> things that you don't need, or uninstall them completely. Is that
> less time consuming for the admin than requiring them to go over the
> same directories and files and explicitly enable the services they want?
> I am not sure, but I expect it might not be. And I know it would be
> safer to leave services off by default. There are a lot of incompetant
> admins out there, and while "off by default" might generate a bit more
> traffic on -user, it is likely to save some of them some major grief.
Doesn't it really depend on the use of the machine and the competency of the
admin? Can (should) options be made for say Firewall, Personal System,
Default or by experience level? This is starting to sound too much like
Microsoft:).
My real concern is for people like me. I know a lot about computers (over
20 years of experience). But, I don't have much experience with security.
I don't know a lot about many of the packages in Linux.
When I first loaded Linux on a machine, I wanted it to be at least
functional (whatever that means). So there should be a base install that
does that. For this the policy of "on by default" works best.
Then there is the last install I performed, a firewall. This should be very
minimal and I should have to chose what to put on the box or add it in
later. Yes, the assumption that I know what I am doing (mostly) is
reasonable. Here the policy should be 'off by default'.
The next problem, and you mention it in the incompetent admins, is there is
a large group of people that are installing Linux as firewalls to their home
intranets to a DSL or Cable connection. These people have no clue what they
are getting into. (I still don't believe how often the firewall gets port
scanned and hit with attempted compromises.) What do we want their machines
to do? (They won't know enough at first to deal with security.) I am sure
that some of you feel they shouldn't do this if the don't know what they are
doing, but the reality is they don't care what you think. I don't want to
deal with these machines getting compromised and then attacking us.
As I write this it becomes a little clearer to me that we need to protect
the net and ourselves. This may make it harder for the newbie to learn (and
more work for us when we install). I would have to recommend that the "off
by default" would be the safer policy. (But then again, who am I?)
Pat Moffitt
MIS Administrator
Western Recreational Vehicles, Inc.
Reply to: