Re: A simple question FORK! Something that bugs me about net-installs and security
On Fri, Jan 26, 2007 at 10:01:43PM -0600, Ron Johnson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/26/07 19:03, Hodgins Family wrote:
> > Many people are installing Debian "from the internet". Yet, the Securing
> > Debian Manual suggests no contact with the internet until the
> > installation is "secure."
> >
> > The manual states that installing the OS off the web is not the best
> > idea (Section 3.3 found here:
> > http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html )
> >
> > Is the manual WRONG about net installs?
>
> Did you *read* the link you posted?
>
> 3.3 Do not plug to the Internet until ready
>
> The system should not be immediately connected to the Internet
> during installation.
> [snip]
> If you cannot do this, you can set up firewall rules to limit
> access to the system while doing the update (see Security
> update protected by a firewall, Appendix F).
>
> http://www.debian.org/doc/manuals/securing-debian-howto/ap-fw-security-update.en.html
>
> > Are net installs (let's say for a Desktop environment) totally without
> > vulnerability risks?
> >
> > When, during an installation, do/should people think about
> > security/vulnerability issues of the software they are installing?
>
> Actually, not much. Firewalling routers are $50 and do a reasonably
> good job.
Doesn't help much if one is accesssing the net via a dial-up modem.
Why doesn't the installer:
1. automatically put up a firewall rule that only allows
traffic related to the installation procedure.
2. Install a basic firewall like ipmasq to cover someone
until they can get something better up and running.
?
I'm lucky in that I have an old 486 I used with a modem to also do the
firewall. I didn't use my Etch amd64 box on the net directly until Etch
got security support.
Doug.
Reply to: