Date: Fri, 22 Sep 2000 10:34:46 +0200 From: Neil Blakey-Milner <nbm@mithrandr.moria.org> To: Brett Glass <brett@lariat.org> Cc: Wes Peters <wes@softweyr.com>, security@freebsd.org Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <20000922103446.A25222@mithrandr.moria.org> In-Reply-To: <4.3.2.7.2.20000921182152.046d6ee0@localhost>; from brett@lariat.org on Thu, Sep 21, 2000 at 06:32:48PM -0600 References: <99016.969437392@winston.osd.bsdi.com> <cjclark@reflexnet.net> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> <39CA8E45.7DA45048@softweyr.com> <4.3.2.7.2.20000921182152.046d6ee0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu 2000-09-21 (18:32), Brett Glass wrote:
> IMHO:
>
> Telnet is dangerous and should be disabled now that SSH is in common use
> and is not encumbered by patents. sshd should be on unless the user
> asks for it not to be. (He or she should still be asked.)
This happens already:
if (write_header) {
...
fprintf(rcSite, "sshd_enable=\"YES\"\n");
}
{ " Sshd", "This machine wants to run the ssh daemon",
dmenuVarCheck, dmenuToggleVariable, NULL, "sshd_enable=YES" },
> Mail should be an option that defaults to "on" but lets the user ask that
> it not be activated at install time. Many of us like to reconfigure before
> turning it on. And others will be using FreeBSD as a workstation and will
> be using an e-mail client.... Sendmail doesn't need to be running.
email clients use sendmail to send mail. If sendmail isn't running, it
doesn't queue. We'll just lose that mail to a black hole. That isn't
obvious.
Again, the case you state above is already in place:
if (write_header) {
...
fprintf(rcSite, "sendmail_enable=\"YES\"\n");
}
{ " Sendmail", "This machine wants to run the sendmail daemon",
dmenuVarCheck, dmenuToggleVariable, NULL, "sendmail_enable=YES" },
> As for NFS: I would take issue with the assertion that most people
> want it on. Also, last time I checked the default install of FreeSBD
> turned on /sbin/portmap even if the user explicitly asks for no NFS!
> This is unnecessary and is a security breach just waiting to happen.
If the user doesn't say 'portmap_enable="NO"', the user isn't explicitly
asking for portmap not to run.
I'm investigating moving the portmap check to the NFS check.
I've also got permission to add an inetd check.
> >they don't want to spend hours agonizing over the configuration
> >of every single computer they install.
>
> I wind up spending hours agonizing over the configuration of every
> FreeBSD install I do, because I have to turn off many of the defaults
> which could potentially compromise security or waste resources.
vi /etc/rc.conf
The "defaults" these days leave very little running. Of course, if you
actually _contributed_, we'd do these things faster, so you wouldn't
have to whine constantly.
Neil
--
Neil Blakey-Milner
Sunesi Clinical Systems
nbm@mithrandr.moria.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000922103446.A25222>