Date: Fri, 22 Sep 2000 20:23:19 +0200 From: Neil Blakey-Milner <nbm@mithrandr.moria.org> To: Brett Glass <brett@lariat.org> Cc: Dave McKay <dave@mu.org>, Wes Peters <wes@softweyr.com>, security@freebsd.org Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <20000922202319.A32175@mithrandr.moria.org> In-Reply-To: <4.3.2.7.2.20000922120415.00c7bdc0@localhost>; from brett@lariat.org on Fri, Sep 22, 2000 at 12:11:25PM -0600 References: <99016.969437392@winston.osd.bsdi.com> <cjclark@reflexnet.net> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> <39CA8E45.7DA45048@softweyr.com> <4.3.2.7.2.20000921182152.046d6ee0@localhost> <20000922021207.A90466@elvis.mu.org> <4.3.2.7.2.20000922120415.00c7bdc0@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri 2000-09-22 (12:11), Brett Glass wrote: > > Telnet *IS* however installed by default on every major OS I can > >think of. > > It should not be. It sends passwords in the clear. This is not > acceptable on today's Internet. Which is fine, except I don't see 'ssh' on the OSen you might be using to access your machine from remote. Windows, especially. > >> I wind up spending hours agonizing over the configuration of every > >> FreeBSD install I do, because I have to turn off many of the defaults > >> which could potentially compromise security or waste resources. > > > >This is not healthy. Editing /etc/inetd.conf and /etc/rc.conf shouldn't > >take one hours, this sounds like a personal problem. > > The fact is that it really CAN take hours to reconfigure FreeBSD to secure > it. This includes recompiling the kernel (to get IP Filter in there, save > resources, turn off BPF, etc.), editing rc.conf, editing sshd.conf, and > much more. ipfilter is available as a module, btw. And a kernel build, even on my venerable p166mmx doesn't take more than a few minutes. Can you explain exactly your thought processes as you're editing rc.conf and sshd.conf? If we know _what_ you are changing, and why, maybe we'll be enlightened. I personally can't take more than a minute editing rc.conf. I know that sshd.conf is safe enough - I may bind to a specific IP, though. What else is there? I really can't see how it can take hours. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000922202319.A32175>