RE: Debian 2.2 and security - SecurityPortal article

To: debian-user@lists.debian.org
Cc: seifried@securityportal.com
Subject: RE: Debian 2.2 and security - SecurityPortal article
From: "Lewis, James M." <Jim.Lewis@alcoa.com>
Date: Wed, 30 Aug 2000 09:41:31 -0400
Message-id: <E56584E1A372D311894C0000E8961A1AC803D7@na-ten.ten.alcoa.com>


> ----------
> From: 	Thomas Guettler[SMTP:guettli@interface-business.de]
> Reply To: 	Thomas Guettler
> Sent: 	Wednesday, August 30, 2000 8:47 AM
> To: 	debian-user@lists.debian.org
> Cc: 	seifried@securityportal.com
> Subject: 	Re: Debian 2.2 and security - SecurityPortal article
> 
> On Wed, Aug 30, 2000 at 11:55:57AM +0200, Leszek Gerwatowski wrote:
> > On SecurityPortal there is an article about Debian 2.2 security:
> > 
> > http://www.securityportal.com/closet/closet20000830.html
> > 
> > Just read it and tell me what you think about it.
> 
> The Author (Kurt Seifried) makes the newbie believe Debian2.2
> is not secure, but you should look at it more close.
> 
> 
> quote: "The next default that really ticks me off is the password
> encryption scheme - 
> the default is to use crypt. "
> 
> A half year ago I installed debian-potato and I newer heard of MD5 before,
> 
> but the displayed text informed me very well on what to choose. If you are
> too lazy to read these lines, you shouldn't try to set up a secure system.
> BTW, potato stores passwords in /etc/shadow, so that you need to be root
> to read the encrypted passwords (except you use NIS)
> 
> 
> quote: "Discard, daytime, time, shell, login, and exec (r services) are
> all 
> enabled by default"
> 
> The first three are enabled, but I think that is no security problem.
> But shell, login, exec are not enabled on my system, at least on my
> system.
> Has someone a fresh installation to tell us what the default is?
> 
I did an install a few days ago.  The "r" utilities were
not even installed.  You have to go after them specifically
to get them.  If you install them, they are enabled...
I forget which profile I used.  I'm not sure if the "r"
utilities are in any of them.  Debian strongly suggests
ssh instead...

jim

> gnuplot and exim paragraph can be ignored.
> 
> 
> dpkg && pgp: Can say something about this. 
> 
> 
> Home-directories by default world-readable: I have nothing to hide.
> If I would have something to hide I would use encryption and not
> chmod. I work together with the other users, I want them to see my 
> work and I want to see theirs.
> 
> 
> LILO-problem: If you have physical access to the machine, you can
> boot from a rescue disk and get root everytime. (Except you use
> a encrypted filesystem).
> 
> 
> Complain about old Apache, ProFTP: If you always want the latest
> fixes, you need to get the stuff from the sources (Eg www.apache.org)
> 
> quote:
> "Debian's goal of a bug free-release hasn't been met. 
> But to be fair, it's not like any software vendor will ever release
> bug-free software. Debian has done a particularly bad job in my opinion, 
> shipping out-of-date software and
> especially publicly available network daemons that have root hacks in
> them."
> 
> Bug-free can mean both: Security-bug-free and Stability-bug-free. 
> Install OpenBSD if you are paranoid about security.
> 
> 
> 
> -- 
> Thomas Guettler
> Office: <guettli_NoSpam_interface-business.de> www.interface-business.de
> Private:<guettli_NoSpam_gmx.de>  http://yi.org/guettli
> (Replace _NoSpam_ with @)
> 
> 
> -- 
> Unsubscribe?  mail -s unsubscribe debian-user-request@lists.debian.org <
> /dev/null
>

Reply to:

Prev by Date: I need help.
Next by Date: X-Window
Previous by thread: Re: Debian 2.2 and security - SecurityPortal article
Next by thread: Re: Debian 2.2 and security - SecurityPortal article
Index(es):
- Date
- Thread