Re: secure installation
There are a few security issues I have noticed about debian's
1) No firewall setup during the install process, as it would be a simple
matter to run lokkit at the end of the install I fail to see why this is
2) Rpfilter and tcp syncookies are not enabled by default. Again this is a
simple correction, and indeed has been mentioned in several open source
linux guides for years.
3) Do we really need portmap, inetd, or nfs running by default on our
1: Why on earth would anyone want to have a set of arbitrary
restrictions applied onto a system without making informed choices, and
understanding what they are doing? If you want to run "lokkit" (or
whichever other widget you like) you run it, but don't try to force it
on everyone (and especially not on me).
2: rp_filter is designed to be run on stub routers, and single-homed hosts.
Many debian installations don't fall into this category (see any server
in an environment with management & production networks). This
certainly shouldn't ever be the default. Again, if you want it, you run
it. I certainly don't want it.
From the kernel documentation (220.127.116.11): "syncookies seriously violate
Great. Just what we need, make a system that's non compliant with TCP.
This, again, should never be the default.
Seriously, what do you think these things are protecting you against?
3: They're not running in my base install. You must have put in packages
that depend upon them.