Re: services installed and running "out of the box"

To: "Noah L. Meyerhans" <noahm@debian.org>, debian-security@lists.debian.org
Subject: Re: services installed and running "out of the box"
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Thu, 25 Sep 2003 12:41:45 +0200
Message-id: <[🔎] 20030925104145.GB17926@dat.etsit.upm.es>
In-reply-to: <[🔎] 20030924195927.GN1904@morgul.net>
References: <[🔎] 1064436121.641.26.camel@elessar> <[🔎] 20030924185916.GB20078@dbz.icequake.net> <[🔎] 20030924195927.GN1904@morgul.net>

On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
> > 
> > What about a package like the harden-* package, but one that conflicts
> > with packages that are pointless for a client/desktop system?
> 
> Unless such a package is part of the standard installation, it's really
> of no use.  The original poster specifically mentioned the "default
> debian install".

Including harden-servers ('Avoid servers that are known to be insecure') in
'standard' or higher priority would be a contradiction since it would be
conflicting with packages in the same priority.

> 
> Personally, I think we really do need to reduce the number of open ports
> by default.  Even Redhat has learned to do this, and Microsoft is
> quickly learning (the hard way, of course).  It's quickly becoming best
> practice for operating system vendors.

Well, Debian is doing this in every release, default installations end up 
with less services per default, configuration of services is usually secure 
and bare minimum (sample: X will not listen over the network, Postgres will 
not accept anything other than local connections, etc..)

> 
> For starters, I think portmap, rpc.statd, and inetd should not run by
> default.  Not running a mail server (or perhaps only running one on the
> loopback interface) would be nice, too.

A mail server is needed since many programs (cron or checksecurity, for 
example) make use of it to forward information to the administrator. 
However, a loopback-only configuration would be nice, and is already asked 
for. Review bug #170451, if someone provided a patch for it it might be 
implemented faster. Also notice that, IIRC, exim4's configuration will 
probably be loopback-only in a default installation (but I have not tested 
this)

> 
> Users that need these services know it.  Users that don't shouldn't be
> bothered by them, whether that be to turn them off or to get compromised
> due to some newly discovered vulnerability.

There are some services that are either expected by the user or the system
itself (mail is one of them). The problem here is defining what a
"standard" user is (or wants installed). 

Regards

Javi

Attachment: pgpCvARrW67pW.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: services installed and running "out of the box"
  - From: Siegbert Baude <Siegbert.Baude@gmx.de>

References:
- services installed and running "out of the box"
  - From: Adam Lydick <adam.lydick@verizon.net>
- Re: services installed and running "out of the box"
  - From: Ryan Underwood <nemesis-lists@icequake.net>
- Re: services installed and running "out of the box"
  - From: "Noah L. Meyerhans" <noahm@debian.org>

Prev by Date: Re: services installed and running "out of the box"
Next by Date: Re: OpenSSH in Woody
Previous by thread: Re: services installed and running "out of the box"
Next by thread: Re: services installed and running "out of the box"
Index(es):
- Date
- Thread