Re: rlinetd security
email@example.com (Sami J. Juvonen) writes:
> Tim Haynes <firstname.lastname@example.org> writes:
> > "Noah L. Meyerhans" <email@example.com> writes:
> > And let's not forget that plenty enough people don't know all 3 obvious
> > commands for finding a process responsible for a given listener, or
> > don't have `head /etc/services` in short-term memory, or why 53/tcp is
> > a Bad Thing, etc...
> Just a minor nit: 53/tcp is *not* inherently bad. Blocking it breaks some
> DNS functionality.
What's more likely, that you're going to want the world and his dog to xfer
your zones and return result sets >512 bytes, or that some schmuck is going
to scan you for the port and attempt to exploit it? Bear in mind that bind
in Debian does not get chrooted by default (IIRC it doesn't even -u, does
it?), so the "just install it from distro defaults and leave it dangling"
line makes for horrible insecurity.
FWIW I heard recently[i] that djbdns never needs TCP. Maybe this is by
implementing a subset of `DNS functionality' - quite possibly so; but if
so, non-TCP DNS is something with which I'm happy to live for the most
part. Obviously, if I'm setting up a nameserver, it's a different kettle of
fish - I know a little stuff there, and am content that others should have
to RTBdocs to get to the same stage, if it means there are fewer insecure
boxes out there attempting to crack me.
> > Yes. I've seen the question `should one aim for secure by default?'
> > before and never made up my mind; there is a `false complacency'
> > argument to be wary of, of course, but I'm now pretty much decided that
> > one should aim for as secure as possible if only to stop things
> > spreading through people's incompetance.
> I agree with this. Sysadmins should also be vary of legacy services that
> "have always been there" in Unix. A lot of that cruft follows us around
> just by tradition.
> What I would really like Debian to do when installing services is to
> *not* start them by default. Just install all the files, but make init
> scripts not run unless edited.
I dunno about `unless edited'; having a variety of ways to disable things
is obviously a blessing, but it's a bit perverse when you have update-rc.d
to do the job, to go around putting `exit 0' at the top of scripts for
folks to find, IMHO.
[i] For obvious reasons, I never expect to have to find out the hard way.
A big sky above me, |firstname.lastname@example.org
West winds blow. |http://spodzone.org.uk/