From owner-freebsd-security Fri Sep 22 1:35: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 8CAD737B423 for ; Fri, 22 Sep 2000 01:34:56 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13cOIA-0006aV-00; Fri, 22 Sep 2000 10:34:46 +0200 Date: Fri, 22 Sep 2000 10:34:46 +0200 From: Neil Blakey-Milner To: Brett Glass Cc: Wes Peters , security@freebsd.org Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <20000922103446.A25222@mithrandr.moria.org> References: <99016.969437392@winston.osd.bsdi.com> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> <39CA8E45.7DA45048@softweyr.com> <4.3.2.7.2.20000921182152.046d6ee0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <4.3.2.7.2.20000921182152.046d6ee0@localhost>; from brett@lariat.org on Thu, Sep 21, 2000 at 06:32:48PM -0600 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu 2000-09-21 (18:32), Brett Glass wrote: > IMHO: > > Telnet is dangerous and should be disabled now that SSH is in common use > and is not encumbered by patents. sshd should be on unless the user > asks for it not to be. (He or she should still be asked.) This happens already: if (write_header) { ... fprintf(rcSite, "sshd_enable=\"YES\"\n"); } { " Sshd", "This machine wants to run the ssh daemon", dmenuVarCheck, dmenuToggleVariable, NULL, "sshd_enable=YES" }, > Mail should be an option that defaults to "on" but lets the user ask that > it not be activated at install time. Many of us like to reconfigure before > turning it on. And others will be using FreeBSD as a workstation and will > be using an e-mail client.... Sendmail doesn't need to be running. email clients use sendmail to send mail. If sendmail isn't running, it doesn't queue. We'll just lose that mail to a black hole. That isn't obvious. Again, the case you state above is already in place: if (write_header) { ... fprintf(rcSite, "sendmail_enable=\"YES\"\n"); } { " Sendmail", "This machine wants to run the sendmail daemon", dmenuVarCheck, dmenuToggleVariable, NULL, "sendmail_enable=YES" }, > As for NFS: I would take issue with the assertion that most people > want it on. Also, last time I checked the default install of FreeSBD > turned on /sbin/portmap even if the user explicitly asks for no NFS! > This is unnecessary and is a security breach just waiting to happen. If the user doesn't say 'portmap_enable="NO"', the user isn't explicitly asking for portmap not to run. I'm investigating moving the portmap check to the NFS check. I've also got permission to add an inetd check. > >they don't want to spend hours agonizing over the configuration > >of every single computer they install. > > I wind up spending hours agonizing over the configuration of every > FreeBSD install I do, because I have to turn off many of the defaults > which could potentially compromise security or waste resources. vi /etc/rc.conf The "defaults" these days leave very little running. Of course, if you actually _contributed_, we'd do these things faster, so you wouldn't have to whine constantly. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message