RE: Debian 2.2 and security - SecurityPortal article
> ----------
> From: Thomas Guettler[SMTP:guettli@interface-business.de]
> Reply To: Thomas Guettler
> Sent: Wednesday, August 30, 2000 8:47 AM
> To: debian-user@lists.debian.org
> Cc: seifried@securityportal.com
> Subject: Re: Debian 2.2 and security - SecurityPortal article
>
> On Wed, Aug 30, 2000 at 11:55:57AM +0200, Leszek Gerwatowski wrote:
> > On SecurityPortal there is an article about Debian 2.2 security:
> >
> > http://www.securityportal.com/closet/closet20000830.html
> >
> > Just read it and tell me what you think about it.
>
> The Author (Kurt Seifried) makes the newbie believe Debian2.2
> is not secure, but you should look at it more close.
>
>
> quote: "The next default that really ticks me off is the password
> encryption scheme -
> the default is to use crypt. "
>
> A half year ago I installed debian-potato and I newer heard of MD5 before,
>
> but the displayed text informed me very well on what to choose. If you are
> too lazy to read these lines, you shouldn't try to set up a secure system.
> BTW, potato stores passwords in /etc/shadow, so that you need to be root
> to read the encrypted passwords (except you use NIS)
>
>
> quote: "Discard, daytime, time, shell, login, and exec (r services) are
> all
> enabled by default"
>
> The first three are enabled, but I think that is no security problem.
> But shell, login, exec are not enabled on my system, at least on my
> system.
> Has someone a fresh installation to tell us what the default is?
>
I did an install a few days ago. The "r" utilities were
not even installed. You have to go after them specifically
to get them. If you install them, they are enabled...
I forget which profile I used. I'm not sure if the "r"
utilities are in any of them. Debian strongly suggests
ssh instead...
jim
> gnuplot and exim paragraph can be ignored.
>
>
> dpkg && pgp: Can say something about this.
>
>
> Home-directories by default world-readable: I have nothing to hide.
> If I would have something to hide I would use encryption and not
> chmod. I work together with the other users, I want them to see my
> work and I want to see theirs.
>
>
> LILO-problem: If you have physical access to the machine, you can
> boot from a rescue disk and get root everytime. (Except you use
> a encrypted filesystem).
>
>
> Complain about old Apache, ProFTP: If you always want the latest
> fixes, you need to get the stuff from the sources (Eg www.apache.org)
>
> quote:
> "Debian's goal of a bug free-release hasn't been met.
> But to be fair, it's not like any software vendor will ever release
> bug-free software. Debian has done a particularly bad job in my opinion,
> shipping out-of-date software and
> especially publicly available network daemons that have root hacks in
> them."
>
> Bug-free can mean both: Security-bug-free and Stability-bug-free.
> Install OpenBSD if you are paranoid about security.
>
>
>
> --
> Thomas Guettler
> Office: <guettli_NoSpam_interface-business.de> www.interface-business.de
> Private:<guettli_NoSpam_gmx.de> http://yi.org/guettli
> (Replace _NoSpam_ with @)
>
>
> --
> Unsubscribe? mail -s unsubscribe debian-user-request@lists.debian.org <
> /dev/null
>
Reply to: