Date: Fri, 22 Sep 2000 07:34:31 -0700 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: Neil Blakey-Milner <nbm@mithrandr.moria.org> Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, Brett Glass <brett@lariat.org>, Wes Peters <wes@softweyr.com>, security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <200009221435.e8MEZCs11279@cwsys.cwsent.com> In-Reply-To: Your message of "Fri, 22 Sep 2000 16:01:24 %2B0200." <20000922160123.A29787@mithrandr.moria.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20000922160123.A29787@mithrandr.moria.org>, Neil Blakey-Milner writ es: > On Fri 2000-09-22 (06:52), Cy Schubert - ITSD Open Systems Group wrote: > > I submitted two awk scripts to this list late last week that disable > > services in inetd that those of us who are paranoid would normally > > remove. Absolutely no one was interested. For that matter I didn't > > even receive a comment about the scripts from you. Absolutely nobody > > is interested in this issue. The defaults are there because the > > majority wants them there. > > If you could tell us how to plug them in somewhere, it might be nice. > Do we have 'awk' on the install disk so it can be used there? > > (personally, I'd prefer we have /etc/inetd.conf (commented) and > /etc/inetd.conf.wideopen, and we twiddle some bits in sysinstall to see > which one gets started in rc. maybe inetd_wideopen_enabled or > something.) Search the -security and -arch archives for the subject "Option 3". Plugging in the awk scripts somewhere, could be in /etc or /usr/sbin, and an option in sysinstall. (Editing inetd.conf after an install is a pain). My team has used various forms of the scripts, because some customers prefer systems that are more open. Of course my recommendation to my customers, which is the most secure recommendation I can make and also keeps my butt out of a sling should they not want to use my recommendation and get broken into, is to disable all services and use SSH and Kerberos. I also recommend to my customers that if they do want to enable telnet, for example, that they document the reason why so that the auditor doesn't have to dig around as much to find out why an insecure service is enabled on a particular system. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200009221435.e8MEZCs11279>