[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: secure installation

On Fri, Aug 17, 2007 at 12:24:27AM +0200, Izak Burger wrote:
> On 8/16/07, Jack T Mudge III <jakykong@theanythingbox.com> wrote:
> > My personal view is that there are plenty of simpler distributions out there,
> > knoppix for first-time users, Ubuntu/Suse for novices, and RedHat for people
> > who need hand-holding. Debian is primarily for advanced users, and for users
> > who have someone looking over their shoulder. We shouldn't over-simplify
> > debian so that users not in it's target audience can use it.
> I like your viewpoint.  I was just trying to remember exactly what is
> open to the world on a brand new ubuntu installation, but I haven't
> done a new install in a while so this is up to memory.  I know there
> is no MTA.  There is also no sshd or portmap.  Not even an inetd.  It
> will however respond if you ping it.  Now THAT is the sort of thing I
> like.  Secure out of the box.

You'll find that a simple default Debian installation of etch is not really
that exposed:

- exim MTA configured to loopback only
- portmap installed, open to the world, but can be configured for loopback
- identd installed, but with no services which makes it not run at all
  (unless you install some other inetd services that is).
- sshd (server) not installed by default

Portmap is needed for NFS support out of the box and, IIRC, for GNOME's
fam but can easily be configured to be loopback-only.

Ubuntu decided on a "no open ports" policy [0] in their first releases (which
was a very good choice, if you ask me). They did *not* drop portmap initially
(FAM depended on it) but they made it not listen to the network as the user
segment they were catering for (desktop-oriented users) doesn't need or use
NFS, at least not all of them (see [1]
https://bugs.launchpad.net/ubuntu/+source/portmap/+bug/50558). Also, in 
earlier releases (5.x) an MTA (Postfix) was included.

Later releases (6.06) dropped portmap altogether. But the latest release
(6.10) [2] installs Avahi (mDNS) open to the world, they decided to do this
due to the features it provided (Zeroconf) and after making sure it had been
properly audited.

However, there have been more Avahi vulnerabilities (3 DoS and 1 remote BoF
since 2006) than there have been in Wietse Venema's portmap's (1 DOS
vulnerability in 1998). 

I do not want to get into a flamewar on who's more secure, those are just the
facts. I just want to show how design decisions affect the selection of the
default install software. Debian caters to a larger population than Ubuntu's
which means that Ubuntu developers can be more restrictive on what they
put on the default installation. 

BTW, The reason that Debian's portmap can now be bound only to the loopback
interface in Desktop environments (if configured to do so) is that we merged
in a patch from Ubuntu that did this precisely.



[0] https://wiki.ubuntu.com/DefaultNetworkServices
[1] https://bugs.launchpad.net/ubuntu/+source/portmap/+bug/50558
[2] https://help.ubuntu.com/community/HowToZeroconf

Attachment: signature.asc
Description: Digital signature

Reply to: