Date: Tue, 14 Aug 2001 19:50:56 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.org> To: Alexander Langer <alex@big.endian.de> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/etc inetd.conf Message-ID: <Pine.NEB.3.96L.1010814194754.72605A-100000@fledge.watson.org> In-Reply-To: <20010814213312.C22531@zerogravity.kawo2.rwth-aachen.d>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 14 Aug 2001, Alexander Langer wrote: > Thus spake Robert Watson (rwatson@FreeBSD.org): > > > Default to disabling all inetd.conf entries, in particular, telnetd > > and ftpd. This more conservative default reduces the exposure of > > Let's disable all other services as well and start advertising FreeBSD > with "No remote exploit in the default install since xx months/ years", > too, as the OpenBSD folks do. I haven't had a chance to do a release build / from scratch install lately, and would be interested in knowing what services we actually have left on right now. My guess is that for a moderate security install, sshd and sendmail, and otherwise, none. syslogd might be using -s instead of -ss. All of these programs do involve risk, syslogd possibly a fair amount less so, and I'd be open to discussing how to disable them but minimize impact from an administrative standpoint. I think disabling sshd would be fine, since we already prompt to enable it in an interactive install. There's been some past work on having sendmail do queue processing out of cron, not bind sockets, etc. I don't know much about that, from an operational perspective, and would be interested in hearing more about the considerations here. For example, I do know that a number of system functions generate e-mail (scheduled events, vi recovery, etc) and that needs to be handled properly. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010814194754.72605A-100000>