[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: rlinetd security

On Tue, Jun 19, 2001 at 09:30:56AM -0700, Pat Moffitt wrote:
> My real concern is for people like me.  I know a lot about computers (over
> 20 years of experience).  But, I don't have much experience with security.
> I don't know a lot about many of the packages in Linux.

That's partly why I don't like the argument that, for example, if you
don't want rpc.statd running, just uninstall nfs-common.  I work in an
environment where there are hundreds of Linux installations directly
connected to the Internet.  There is no firewall, and, in general, no
ports are filtered by the routers.  Andybody is free to install their
own system and do with it pretty much as they please.  The problem is
that most of the time they don't really know what's running on their
system.  They don't know about editing inetd.conf, they don't know about
portmap and NFS, and some of them are only just now leaning (the
hard way) why 'xhost +' is bad.

These people will install Apache on their machine, see that it works,
and start using it as a production web server.  There is nothing to
force them to turn off unnecessary services.  It might make my life more
difficult if they came to me every time they installed a new system and
asked why Apache wasn't working, but I'd prefer that to having them come
complain when I shut their access off due to their machine being cracked
via rpc.statd, which they've never even heard of.

I am certainly not claiming that these people are competant sysadmins,
or that a sysadmin would experience the difficulties that they do, but I
am claiming that the majority of Linux installations are run by people
with this level of expertise.  As it gets easier and easier to install
Linux, we're going to be seeing less and less competant people doing it.
They're going to get in trouble.

> As I write this it becomes a little clearer to me that we need to protect
> the net and ourselves.  This may make it harder for the newbie to learn (and
> more work for us when we install).  I would have to recommend that the "off
> by default" would be the safer policy.  (But then again, who am I?)

Well, maybe off by default is not the way to go, but "not installed by
default" is.  If somebody needs NFS, they know it, and with that
knowledge can easily search dselect for appropriate packages.  If they
don't need NFS, they don't necessarily know it, and don't necessarily
know that they need to disable or uninstall packages to get rid of it.
I think this is really a better way to go.


| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html 

Attachment: pgpw7aB7Dn6bG.pgp
Description: PGP signature

Reply to: