Re: secure installation
1) What if someone (and I am sure it happens more often than you may
realize) who is clueless about computers decides to download Debian,
installs it, get hacked, trojaned horsed, their credit cards numbers
It is called responsibility, and we cannot blame it on them for
knowing nothing, we can't all be computer security experts. In
addition you have the option within lokkit to select "no firewall" if
that is what you really want, so it seem to leave freedon of choice as
to how to use your computer enabled, along with the option to
uninstall it completely.
2) rp_filter provides protection against ip address spoofing which
most machines not otherwise protected by a firewall need. again, you
would have the same option to turn if off if you feel you do not need
Tcp syncookies provide protection against some DDOS attacks, and
truthfully we all know tcp is broken, so who cares if it violates
3) All I have installed is the "base" package, Xwindows, and a desktop.
On 8/15/07, Ian McDonald <firstname.lastname@example.org> wrote:
> Pat wrote:
> > There are a few security issues I have noticed about debian's
> > installation.
> > 1) No firewall setup during the install process, as it would be a simple
> > matter to run lokkit at the end of the install I fail to see why this is
> > not
> > done.
> > 2) Rpfilter and tcp syncookies are not enabled by default. Again this is
> > simple correction, and indeed has been mentioned in several open source
> > linux guides for years.
> > 3) Do we really need portmap, inetd, or nfs running by default on our
> > workstations?
> 1: Why on earth would anyone want to have a set of arbitrary
> restrictions applied onto a system without making informed choices, and
> understanding what they are doing? If you want to run "lokkit" (or
> whichever other widget you like) you run it, but don't try to force it
> on everyone (and especially not on me).
> 2: rp_filter is designed to be run on stub routers, and single-homed hosts.
> Many debian installations don't fall into this category (see any server
> in an environment with management & production networks). This
> certainly shouldn't ever be the default. Again, if you want it, you run
> it. I certainly don't want it.
> From the kernel documentation (126.96.36.199): "syncookies seriously violate
> TCP protocol".
> Great. Just what we need, make a system that's non compliant with TCP.
> This, again, should never be the default.
> Seriously, what do you think these things are protecting you against?
> 3: They're not running in my base install. You must have put in packages
> that depend upon them.