Date: Thu, 5 Feb 1998 13:57:34 -0800 From: "Ron 'The Insane One' Rosson" <insane@oneinsane.net> To: Jamie Lawrence <jal@42is.com> Cc: Doug White <dwhite@resnet.uoregon.edu>, freebsd-questions@FreeBSD.ORG Subject: Re: minimalist /etc/services and /etc/inetd.conf Re: Security Message-ID: <19980205135734.44818@the.oneinsane.net> In-Reply-To: <3.0.3.32.19980205110224.009f3820@colonel.42inc.com>; from Jamie Lawrence on Thu, Feb 05, 1998 at 11:02:24AM -0800 References: <3.0.3.32.19980204134734.009944f0@colonel.42inc.com> <3.0.3.32.19980205110224.009f3820@colonel.42inc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-J I agree with your methods.. Only make the machine capable of what its job is.. That way it can not come back and haunt you. IMHO it sounds like you have good firewall based habits to me Ron On Thu, Feb 05, 1998 at 11:02:24AM -0800, Jamie Lawrence wrote: > > I didn't mean to spark a huge debate on this - I won't > publicly post on the topic after this. Feel free to > harangue me privately, should you feel really strongly > about my habit of editing /etc/services. > > At 09:58 PM 2/4/98 -0800, you wrote: > > >> "Don't play with /etc/services" seems like pretty general advice > >> not applicable in all (or perhaps even most) situations. > > > >OK, then why edit services? It's a text database, nothing more. > > For the same reason I remove large chunks of /bin/*, /sbin/*, > the man pages for what is gone, /etc/sendmail.cf, the kernel sources > after a recompile, etc. etc. etc. > > What isn't there can't be used against the system. True, there might > not be any direct gains in security from removing man pages and > editing services, and I admit this particular case is perhaps just > an aesthetic issue. If a system is only firewalling or only serving > web pages, I want it to be only capable of that function (modulo > any administratively necessary functions, of course), and want > everything not associated with that function gone. "All that is not > permitted is forbidden", while admittedly bad social policy, is great > security. (I'm less harsh to machines that more people access.) > > -j -- -------------------------------------------------------- Ron Rosson ... and a UNIX user said ... rlr@n2.net rm -rf * insane@oneinsane.net and all was null and void --------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980205135734.44818>