On Tue, Jun 19, 2001 at 08:56:51AM -0400, Stuart Krivis wrote: > > Why not? You've not given any reason at all. Do you know of any > > malicious behavior that is made possible by leaving the services turned > > on? The potential exists to use the chargen feature as a part of a DoS > > > That's completely the wrong way to look at it. You should be saying, "Do I > need this for anything?" If you don't need it, then turn it off. Sure, but my original post was in response to us having the simple services turned on *by default* on new installations. If we're going to leave stuff like portmap and the NFS client daemons on by default then we're already comitting a worse crime than leaving the simple services on. > > Really I'm just playing devil's advocate here. I don't care if they're > > turned off or not. I've just never seen any evidence that there's any > > reason for concern over them. > > You should care. If it isn't running, you have one less thing to worry > about. I do care. I often disable inetd completely, if the server in question doesn't need any of what it offers. But again, what I was talking about previously was the installation defaults. Tim Haynes was saying that he certainly hoped that the simple services were not turned on by default in unstable. I wasn't recommending to anybody to *leave* them on if they don't need them. But by default we've always left everything turned on unless there was some major configuration or whatever that needed to be done in order for the service to be used at all. Personally, I don't care if something is turned on by default or not. If I need it, and it's on by default, I'll leave it on. If it's not on, I'll turn it on. If I don't need it I'll turn it off. I do think it's worth discussing whether the policy should be "on by default" of "off by default". Not just for the simple services, but for all services that get installed. Which option leaves more work to be done by the admin? In the current "on by default" state, you install a new system and go throught /etc/rc?.d/ and /etc/inetd.conf and turn off things that you don't need, or uninstall them completely. Is that less time consuming for the admin than requiring them to go over the same directories and files and explicitly enable the services they want? I am not sure, but I expect it might not be. And I know it would be safer to leave services off by default. There are a lot of incompetant admins out there, and while "off by default" might generate a bit more traffic on -user, it is likely to save some of them some major grief. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Attachment:
pgpcUyNO6jqsg.pgp
Description: PGP signature