Re: rlinetd security

To: sami@juvonen.org (Sami J. Juvonen)
Cc: debian@stirfried.vegetable.org.uk, "Noah L. Meyerhans" <frodo@morgul.net>, Debian Security List <debian-security@lists.debian.org>
Subject: Re: rlinetd security
From: Tim Haynes <debian@stirfried.vegetable.org.uk>
Date: 19 Jun 2001 21:36:21 +0100
Message-id: <[🔎] 86zob4tdfe.fsf@potato.vegetable.org.uk>
Reply-to: debian@stirfried.vegetable.org.uk
In-reply-to: <[🔎] 87y9qo6xmz.fsf@kampela.juvonen.org> (sami@juvonen.org's message of "19 Jun 2001 13:08:20 -0700")
References: <[🔎] 20010618134850.G1282@morgul.net> <[🔎] 166780000.992955411@kleenex> <[🔎] 20010619105847.B22841@morgul.net> <[🔎] 86d780wlhc.fsf@potato.vegetable.org.uk> <[🔎] 87y9qo6xmz.fsf@kampela.juvonen.org>

sami@juvonen.org (Sami J. Juvonen) writes:

> Tim Haynes <debian@stirfried.vegetable.org.uk> writes:
> 
> > "Noah L. Meyerhans" <frodo@morgul.net> writes:
> > 
> > And let's not forget that plenty enough people don't know all 3 obvious
> > commands for finding a process responsible for a given listener, or
> > don't have `head /etc/services` in short-term memory, or why 53/tcp is
> > a Bad Thing, etc...
> 
> Just a minor nit: 53/tcp is *not* inherently bad. Blocking it breaks some
> DNS functionality.

What's more likely, that you're going to want the world and his dog to xfer
your zones and return result sets >512 bytes, or that some schmuck is going
to scan you for the port and attempt to exploit it? Bear in mind that bind
in Debian does not get chrooted by default (IIRC it doesn't even -u, does
it?), so the "just install it from distro defaults and leave it dangling"
line makes for horrible insecurity.

FWIW I heard recently[i] that djbdns never needs TCP. Maybe this is by
implementing a subset of `DNS functionality' - quite possibly so; but if
so, non-TCP DNS is something with which I'm happy to live for the most
part. Obviously, if I'm setting up a nameserver, it's a different kettle of
fish - I know a little stuff there, and am content that others should have
to RTBdocs to get to the same stage, if it means there are fewer insecure
boxes out there attempting to crack me.

> > Yes. I've seen the question `should one aim for secure by default?' 
> > before and never made up my mind; there is a `false complacency'
> > argument to be wary of, of course, but I'm now pretty much decided that
> > one should aim for as secure as possible if only to stop things
> > spreading through people's incompetance.
> 
> I agree with this. Sysadmins should also be vary of legacy services that
> "have always been there" in Unix. A lot of that cruft follows us around
> just by tradition.

<nod>.

> What I would really like Debian to do when installing services is to
> *not* start them by default. Just install all the files, but make init
> scripts not run unless edited.

I dunno about `unless edited'; having a variety of ways to disable things
is obviously a blessing, but it's a bit perverse when you have update-rc.d
to do the job, to go around putting `exit 0' at the top of scripts for
folks to find, IMHO.

~Tim

Footnotes: 
[i]  For obvious reasons, I never expect to have to find out the hard way.

-- 
A big sky above me,                         |piglet@stirfried.vegetable.org.uk
West winds blow.                            |http://spodzone.org.uk/

Reply to:

Follow-Ups:
- Re: rlinetd security
  - From: Jamie Heilman <jamie@audible.transient.net>

References:
- Re: rlinetd security
  - From: Noah Meyerhans <noahm@debian.org>
- Re: rlinetd security
  - From: Stuart Krivis <ipswitch@apk.net>
- Re: rlinetd security
  - From: "Noah L. Meyerhans" <frodo@morgul.net>
- Re: rlinetd security
  - From: Tim Haynes <debian@stirfried.vegetable.org.uk>
- Re: rlinetd security
  - From: sami@juvonen.org (Sami J. Juvonen)

Prev by Date: Basic question about ipchains being useful
Next by Date: Re: rlinetd security
Previous by thread: Re: rlinetd security
Next by thread: Re: rlinetd security
Index(es):
- Date
- Thread