Pat wrote:
There are a few security issues I have noticed about debian's installation. 1) No firewall setup during the install process, as it would be a simple matter to run lokkit at the end of the install I fail to see why this is not done. 2) Rpfilter and tcp syncookies are not enabled by default. Again this is a simple correction, and indeed has been mentioned in several open source linux guides for years. 3) Do we really need portmap, inetd, or nfs running by default on our workstations?
1: Why on earth would anyone want to have a set of arbitrary restrictions applied onto a system without making informed choices, and understanding what they are doing? If you want to run "lokkit" (or whichever other widget you like) you run it, but don't try to force it on everyone (and especially not on me).
2: rp_filter is designed to be run on stub routers, and single-homed hosts.Many debian installations don't fall into this category (see any server in an environment with management & production networks). This certainly shouldn't ever be the default. Again, if you want it, you run it. I certainly don't want it.
From the kernel documentation (2.6.20.1): "syncookies seriously violate TCP protocol". Great. Just what we need, make a system that's non compliant with TCP. This, again, should never be the default.
Seriously, what do you think these things are protecting you against?3: They're not running in my base install. You must have put in packages that depend upon them.
-- ian