From owner-freebsd-security Sun Oct 17 13:35:59 1999 Delivered-To: freebsd-security@freebsd.org Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (Postfix) with ESMTP id 23AFA14C88 for ; Sun, 17 Oct 1999 13:35:51 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id PAA14102; Sun, 17 Oct 1999 15:35:49 -0500 (CDT) (envelope-from jeff-ml@mountin.net) Received: from dial-217.tnt1.rac.cyberlynk.net(209.224.182.217) by peak.mountin.net via smap (V1.3) id sma014100; Sun Oct 17 15:35:39 1999 Message-Id: <3.0.3.32.19991017152906.00aa7100@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Sun, 17 Oct 1999 15:29:06 -0500 To: Alex Charalabidis From: "Jeffrey J. Mountin" Subject: Re: General securiy of vanilla install WAS [FreeSSH] Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <19991017043046.5909.rocketmail@web115.yahoomail.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 12:11 AM 10/17/99 -0500, Alex Charalabidis wrote: >On Sat, 16 Oct 1999, tom brown wrote: > >> I think we've lost the direction here somewhere. >> This started as a conversation about >> 'security'options. >> >> But something should be done to allow the less >> experienced users roll out a box that can sit >> unprotected on the net. Personal experience has >> demonstrated that many insecure installs are out there >> running in production enviroments. People often seem >> to have the impression that unix is secure, but they >> don't understand what they need to do to make it that >> way. >> >This ought to be addressed in future releases. I don't remember off-hand >which services are enabled by default on a stock installation but I do >remember always having to shut down a few on every new machine I install >FreeBSD on (which means most machines that hit my desk). Can almost guess that any commiter is going to address this by stating that less experience users (or admins) *should* know better. Anyone expecting to just install and drop it off the wire should get what they deserve for their minimal effort. To be fair, we could have a firewall distrubution, but even so it would be a compromize and still require a certain level of knowledge to do right. >Somewhere in this thread, someone mentioned installing tcsh/bash and ssh >as the first tasks on a new box. Wrong. The first thing we do is vi >inetd.conf and shut down unneeded services. Those who don't know enough to >do so are SOL. Sure, they need to learn but letting them learn by having >their machines cracked is counterproductive. Not wrong. Why connect to the network before the system is ready. ;) >Granted, it is by far not as bad as it is with certain eponymous Linux >distributions that come so service-happy it's scary, but there are >concerns about new FreeBSD installations too. New users don't need the >services (and shouldn't be running them), experienced users would >rather enable what they need themselves. It's better than it used to be. Either services in inetd.conf should *all* be commented or inetd should not be started in rc.conf, along with sendmail. AFAICR, sendmail is on since it is so commonly used and to avoid newbies asking about it, but then they will ask anyways and so we have these little discussions from time to time. >Sounds very reasonable. Though maybe "run services" should be off by >default. Trouble is new users. All more experienced types know what they (don't) want, so where things are is more of a compromize. The main reason for some pushing for UUCP as an option is the world writable directory. If logins or ftp are allowed on a *stock* system then there's a nice little place that everyone can access. A more granulated distribution means less to worry about and a minimalist approach can be taken. New users could just opt for a "basic/complete" package list. my .02 Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve '86 Yamaha MaxiumX (not FBSD powered) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message