[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: secure installation



Pat wrote:
  There are a few security issues I have noticed about debian's
installation.
 1) No firewall setup during the install process, as it would be a simple
 matter to run lokkit at the end of the install I fail to see why this is
not
 done.
 2) Rpfilter and tcp syncookies are not enabled by default. Again this is a
 simple correction, and indeed has been mentioned in several open source
 linux guides for years.
 3) Do we really need portmap, inetd, or nfs running by default on our
 workstations?


1: Why on earth would anyone want to have a set of arbitrary restrictions applied onto a system without making informed choices, and understanding what they are doing? If you want to run "lokkit" (or whichever other widget you like) you run it, but don't try to force it on everyone (and especially not on me).

2: rp_filter is designed to be run on stub routers, and single-homed hosts.
Many debian installations don't fall into this category (see any server in an environment with management & production networks). This certainly shouldn't ever be the default. Again, if you want it, you run it. I certainly don't want it.

From the kernel documentation (2.6.20.1): "syncookies seriously violate TCP protocol". Great. Just what we need, make a system that's non compliant with TCP. This, again, should never be the default.

Seriously, what do you think these things are protecting you against?

3: They're not running in my base install. You must have put in packages that depend upon them.


--
ian



Reply to: