> > 1) Security
> > I will be really glad if most of the unnecessary services are turned off
> > for default install, including but not limited to, inetd daemon. It
> > minimizes or prevents the chance any attacks such as Denial of service
> > and buffer overflow. Let's take a look at the last big security problem:
>
> It's done for most servers. Please give us a list of exact services you
> would like to see disabled, if you want more precise answer..
Definitely, all services should be off until the user can enable them
later when they actually need it. Let newbie users learn on the newbie
list when they want to use something. If not, they WILL get cracked.
A newbie who installs a fresh LM7.1 and does not know to get updates,
WILL be r00ted because of rpd.statd and wu-ftpd services running.
No one except experts *may* need sunrpc (port 111) service, and they
want a chance to set it up before turning on the service.
The only service that should be on is sshd with tcp-wrappers set to
localhost or LAN. Have OpenSSH sshd installed by default for the user, and
prompt them for a passphrase, RSA (ssh1) and DSA (ssh2), to put in the
~user/.ssh/ directory.
The *ONLY* /etc/inetd.conf services possibly installed should be no more than
ftp and telnet WITH tcp-wrappers set to allow ONLY from localhost or LAN.
Setup a good default /etc/rc.d/rc.firewall (well commented) which blocks
spoofing attempts, etc.
No users (not even server installs) need httpd, postfix, pop3, imap,, named,
snmpd, linuxconf, webmin, portmap, netfs, xfs (only for remote X-sessions),
kheader (?), pcmcia (only for laptops), pretty much all K* services,
etc until they NEED to use them and they configured them properly. If the
Mandrake install process has setup good (secure) defaults, then the user only
needs to 'service xxx start' to start using it.
Try and chroot jail as many services as possible, like postfix and named dns.
I only have the following in my rc3.d and rc5.d directories for a server
that has X installed...
S09sound -> ../init.d/sound*
S10network -> ../init.d/network*
S20random -> ../init.d/random*
S30syslog -> ../init.d/syslog*
S40crond -> ../init.d/crond*
S50inet -> ../init.d/inet* # tcp-wrapped ftp and telnet
S55named -> ../init.d/named* # chroot'ed DNS
S55sshd -> ../init.d/sshd*
S80postfix -> ../init.d/postfix*
S85httpd -> ../init.d/httpd*
S85numlock -> ../init.d/numlock*
S99local -> ../rc.local*
I only turn on gpm (console mouse) and kudsu (hardware detect) as required.
I also install the secure kernel, msec 3, run bastille-linux, install
portsentry and logcheck (from http://www.psionic.com).
My 2+1 cents (tax in Canada) ;)
Thanks... Dan.
