[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rlinetd security

>From Pat Moffitt on Tuesday, 19 June, 2001:
>> -----Original Message-----
>> From: Noah L. Meyerhans [mailto:frodo@morgul.net]
>Doesn't it really depend on the use of the machine and the competency of the
>admin?  Can (should) options be made for say Firewall, Personal System,
>Default or by experience level?  This is starting to sound too much like

Heh..  It's not Mc$oft in that a) the functionality isn't disabled in such
  a way as to prevent usage (you just have to go in and activate it and
  it's *not* illegal to do so. also, you can just download the packages and
  install them) and b) you aren't charged any more for
  one than the other (in fact, you aren't charged anything :).

I'd argue that, out of the box, *nothing* should be listening in on *any* port.
  For one, that'd give admins time to patch before they set the box out (helping
  limit the window of vulnerability) For another thing, disabling services
  makes the admin actually set up the machine themselves, something they ought
  to do anyway.  For example, if they want FTP, they'd better configure it before
  they set it out.  I guess you could just throw in an "I know this is dumb, but I'd
  like to have stuff up and running out-of-box" for those who would go elsewhere if
  they had to set it up themselves.

>My real concern is for people like me.  I know a lot about computers (over
>20 years of experience).  But, I don't have much experience with security.
>I don't know a lot about many of the packages in Linux.

This is a very good argument for not having your box be running every service
  known to man out of the box.  If you don't know, it *can* hurt you (and
  *others* as well).  You should learn about things before you go running
  them.  You should have to read the manual in order to get FTP up and running.

>The next problem, and you mention it in the incompetent admins, is there is
>a large group of people that are installing Linux as firewalls to their home
>intranets to a DSL or Cable connection.  These people have no clue what they
>are getting into.  (I still don't believe how often the firewall gets port

This is a good argument for a "firewall" installation.  An absolutely minimum 
  install that has firewall software up and running, with a reasonable ruleset, 
  so that they are at least *partly* covered when the box comes up the first time.

>As I write this it becomes a little clearer to me that we need to protect
>the net and ourselves.  This may make it harder for the newbie to learn (and
>more work for us when we install).  I would have to recommend that the "off
>by default" would be the safer policy.  (But then again, who am I?)

Sounds good.  I've not followed the thread very religiously, but I'd suggest
  a setup system for the next release that has the following options:
     a) personal system (no server components are even installed on the box)
     b) firewall system (only a very minimal install, with firewall software
          and a reasonable default ruleset up and running when the box comes
          on line)
     c) server (Have the user choose exactly *which* services they want running.
          Nothing should be started until the administrator explicitly enables
          them.  The user should be told of this when they finish the install)
     d) custom (use dselect)

While we're at it, it'd be nice if the packages (on an update) didn't re-enable
  themselves if I've disabled them.  Inetd should check each of the runlevels to
  see if it's currently enabled (/etc/rc?.d).  If it's not, it shouldn't make it
  so.  The same goes for all the other services in /etc/rc?.d.  Also, if it
  isn't listed in /etc/inetd.conf, the admin has probably removed it, and it
  shouldn't add itself back in.
Just something that's annoyed me when updating daily.  :)

"IBM were providing source code in the 1960's under similar terms. 
VMS source code was available under limited licenses to customers 
from the beginning. Microsoft are catching up with 1960."
   --Alan Cox,  http://www2.usermagnet.com/cox/index.html

Reply to: