Re: Debian 2.2 and security - SecurityPortal article

[Olaf Meeuwissen <olaf@epkowa.co.jp>]

Thomas Guettler <guettli@interface-business.de> writes:

> On Wed, Aug 30, 2000 at 11:55:57AM +0200, Leszek Gerwatowski wrote:
> > On SecurityPortal there is an article about Debian 2.2 security:
> > 
> > http://www.securityportal.com/closet/closet20000830.html
> 
> The Author (Kurt Seifried) makes the newbie believe Debian2.2
> is not secure, but you should look at it more close.
> [snip]
> The first three are enabled, but I think that is no security problem.
> But shell, login, exec are not enabled on my system, at least on my system.
> Has someone a fresh installation to tell us what the default is?

Not quite fresh, but after I purged pump, ftp, telnet, ppp, pppconfig
and pcmcia-cs from the base install, the only things enabled in my
/etc/inetd.conf are: discard (tcp/udp), daytime (tcp) and time (tcp).

Edited /etc/hosts.deny to read ALL:ALL to boot.  This should perhaps
be the default, so sys admins have to turn things on explicitly.  For
other servers the default access should probably be the same as in
/etc/hosts.deny if you don't want them to run from inetd.

> [snip]
> LILO-problem: If you have physical access to the machine, you can
> boot from a rescue disk and get root everytime. (Except you use
> a encrypted filesystem).

Change your BIOS settings to only boot from the internal disk and
password protect it.  On my system I have such a setup and require a
password for all non-default boots.  Note, all passwords (BIOS, boot
and root) are of course different.

If your internal disk won't boot for some reason, you can always go in
and change the BIOS settings to allow rescue boots from floppy.

-- 
Olaf Meeuwissen       Epson Kowa Corporation, Research and Development