Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 17 Oct 1999 15:29:06 -0500
From:      "Jeffrey J. Mountin" <jeff-ml@mountin.net>
To:        Alex Charalabidis <alex@wnm.net>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: General securiy of vanilla install WAS [FreeSSH]
Message-ID:  <3.0.3.32.19991017152906.00aa7100@207.227.119.2>
In-Reply-To: <Pine.BSI.4.05.9910162349330.14034-100000@earth.wnm.net>
References:  <19991017043046.5909.rocketmail@web115.yahoomail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
At 12:11 AM 10/17/99 -0500, Alex Charalabidis wrote:
>On Sat, 16 Oct 1999, tom brown wrote:
>
>> I think we've lost the direction here somewhere. 
>> This started as a conversation about
>> 'security'options.
>> 
>> But something should be done to allow the less
>> experienced users roll out a box that can sit
>> unprotected on the net.  Personal experience has 
>> demonstrated that many insecure installs are out there
>> running in production enviroments.  People often seem
>> to have the impression that unix is secure, but they 
>> don't understand what they need to do to make it that 
>> way.
>>  
>This ought to be addressed in future releases. I don't remember off-hand 
>which services are enabled by default on a stock installation but I do
>remember always having to shut down a few on every new machine I install
>FreeBSD on (which means most machines that hit my desk).

Can almost guess that any commiter is going to address this by stating that
less experience users (or admins) *should* know better.

Anyone expecting to just install and drop it off the wire should get what
they deserve for their minimal effort.

To be fair, we could have a firewall distrubution, but even so it would be
a compromize and still require a certain level of knowledge to do right.

>Somewhere in this thread, someone mentioned installing tcsh/bash and ssh
>as the first tasks on a new box. Wrong. The first thing we do is vi
>inetd.conf and shut down unneeded services. Those who don't know enough to
>do so are SOL. Sure, they need to learn but letting them learn by having
>their machines cracked is counterproductive.

Not wrong.  Why connect to the network before the system is ready. ;)

>Granted, it is by far not as bad as it is with certain eponymous Linux
>distributions that come so service-happy it's scary, but there are
>concerns about new FreeBSD installations too. New users don't need the
>services (and shouldn't be running them), experienced users would
>rather enable what they need themselves.

It's better than it used to be.  Either services in inetd.conf should *all*
be commented or inetd should not be started in rc.conf, along with
sendmail.  AFAICR, sendmail is on since it is so commonly used and to avoid
newbies asking about it, but then they will ask anyways and so we have
these little discussions from time to time.

>Sounds very reasonable. Though maybe "run services" should be off by
>default.

Trouble is new users.  All more experienced types know what they (don't)
want, so where things are is more of a compromize.

The main reason for some pushing for UUCP as an option is the world
writable directory.  If logins or ftp are allowed on a *stock* system then
there's a nice little place that everyone can access.

A more granulated distribution means less to worry about and a minimalist
approach can be taken.  New users could just opt for a "basic/complete"
package list.

my .02


Jeff Mountin - jeff@mountin.net
Systems/Network Administrator
FreeBSD - the power to serve
'86 Yamaha MaxiumX (not FBSD powered)



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.3.32.19991017152906.00aa7100>