Re: rlinetd security
Tim Haynes <debian@stirfried.vegetable.org.uk> writes:
> "Noah L. Meyerhans" <frodo@morgul.net> writes:
>
> And let's not forget that plenty enough people don't know all 3 obvious
> commands for finding a process responsible for a given listener, or don't
> have `head /etc/services` in short-term memory, or why 53/tcp is a Bad
> Thing, etc...
Just a minor nit: 53/tcp is *not* inherently bad. Blocking it breaks some
DNS functionality.
> Yes. I've seen the question `should one aim for secure by default?' before
> and never made up my mind; there is a `false complacency' argument to be
> wary of, of course, but I'm now pretty much decided that one should aim for
> as secure as possible if only to stop things spreading through people's
> incompetance.
I agree with this. Sysadmins should also be vary of legacy services that
"have always been there" in Unix. A lot of that cruft follows us around
just by tradition.
What I would really like Debian to do when installing services is to *not*
start them by default. Just install all the files, but make init scripts
not run unless edited.
-sami.
Reply to: