Date: Sun, 17 Oct 1999 21:39:59 -0500 From: "Jeffrey J. Mountin" <jeff-ml@mountin.net> To: Justin Wells <jread@semiotek.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: General securiy of vanilla install WAS [FreeSSH] Message-ID: <3.0.3.32.19991017213959.016c1be0@207.227.119.2> In-Reply-To: <19991017180225.A9804@semiotek.com> References: <3.0.3.32.19991017152906.00aa7100@207.227.119.2> <19991017043046.5909.rocketmail@web115.yahoomail.com> <Pine.BSI.4.05.9910162349330.14034-100000@earth.wnm.net> <3.0.3.32.19991017152906.00aa7100@207.227.119.2>
next in thread | previous in thread | raw e-mail | index | archive | help
At 06:02 PM 10/17/99 -0400, Justin Wells wrote: >A simple firewall would go a long way. By default allow everything >outbound and nothing inbound. Or allow only inbound www, ssh, identd, >passive ftp, and smtp--so people don't ask why they aren't allowed >on IRC, can't FTP the dists, can't see their website, and don't get >their mail. > >The firewall configuration file should be well commented, and there >should be a loud message in the install explaining that it's there. But then any comments documentation need to be *read* in the first place to be useful. >The first thing I do is bring up the firewall :-) The first thing I >install is "screen" so that I can poke around in the background while >"make world" is running in single user mode. The first thing I do is crosslink to my development server. No need to build and is current or -stable in this case. ;) >I love those old Slackware systems that used to install with 'ps' >and 'netstat' running out of inetd. No comment. Tinkered with Slackware in '94 last and haven't since. >However, most new users think that they want to have telnetd installed, >and since it is installed by default, they think it must be OK. If they >had to turn it on, it might occur to them that cleartext protocols and >public networks don't mix. Especially if a comment in inetd.conf said >so :-) Frankly they should read a book, man pages, documentation, etc. Explaining with comments is not the way, IMO. You are are talking about an end user, possibly at home, that isn't likely to be deploying a production server and might not even know about inetd.conf at all or man <service>. In this case that "firewall distribution" that doesn't allow incoming connections would be a Good Thing for them. Think less time should be spent on what we want and don't want, but rather some mechanisms (or ideas for them) that allow for a finer granularity for initial installs and builds. Would be nice if buildworld would skip making things that aren't going to be installed, but that is a bit more of a problem and might cost some flexibility. Consider that one system could build everything, then is used to install only what is desired to other systems. Makes sense. Not building everything would speed up the build process. Then again this means that some flags would need to be honored by installworld and not buildworld. More complexity. Think I'll shut up and dig around a bit, but looks pretty much beyond me at this point. Ugly hacks don't count. Some way of moving all the files needed for say NIS to their own subdir under /usr/src might work. Makes for more clutter. With UUCP there is mtree needing changes to the input files. Create the files on the fly then. Then there are depandancies, etc, etc, etc... making for a big project. Somehow I just don't this happening any time soon. Would appreciate any "how" input. No "what" or "why" unless the person *really* knows the build process. Jeff Mountin - jeff@mountin.net Systems/Network Administrator FreeBSD - the power to serve '86 Yamaha MaxiumX (not FBSD powered) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.3.32.19991017213959.016c1be0>