Hello Noah > -----Original Message----- > From: Noah L. Meyerhans [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 19, 2001 7:59 AM > To: Debian Security List > Subject: Re: rlinetd security [snip] > > I do care. I often disable inetd completely, if the server in question > doesn't need any of what it offers. [snip]
Interesting thought... I wonder if I can get away with that easily? > I do think it's worth discussing whether the policy should be "on by > default" of "off by default". Not just for the simple services, but for > all services that get installed. Which option leaves more work to be > done by the admin? In the current "on by default" state, you install a > new system and go throught /etc/rc?.d/ and /etc/inetd.conf and turn off > things that you don't need, or uninstall them completely. Is that > less time consuming for the admin than requiring them to go over the > same directories and files and explicitly enable the services they want? > I am not sure, but I expect it might not be. And I know it would be > safer to leave services off by default. There are a lot of incompetant > admins out there, and while "off by default" might generate a bit more > traffic on -user, it is likely to save some of them some major grief. Doesn't it really depend on the use of the machine and the competency of the admin? Can (should) options be made for say Firewall, Personal System, Default or by experience level? This is starting to sound too much like Microsoft:). My real concern is for people like me. I know a lot about computers (over 20 years of experience). But, I don't have much experience with security. I don't know a lot about many of the packages in Linux. When I first loaded Linux on a machine, I wanted it to be at least functional (whatever that means). So there should be a base install that does that. For this the policy of "on by default" works best. Then there is the last install I performed, a firewall. This should be very minimal and I should have to chose what to put on the box or add it in later. Yes, the assumption that I know what I am doing (mostly) is reasonable. Here the policy should be 'off by default'. The next problem, and you mention it in the incompetent admins, is there is a large group of people that are installing Linux as firewalls to their home intranets to a DSL or Cable connection. These people have no clue what they are getting into. (I still don't believe how often the firewall gets port scanned and hit with attempted compromises.) What do we want their machines to do? (They won't know enough at first to deal with security.) I am sure that some of you feel they shouldn't do this if the don't know what they are doing, but the reality is they don't care what you think. I don't want to deal with these machines getting compromised and then attacking us. As I write this it becomes a little clearer to me that we need to protect the net and ourselves. This may make it harder for the newbie to learn (and more work for us when we install). I would have to recommend that the "off by default" would be the safer policy. (But then again, who am I?) Pat Moffitt MIS Administrator Western Recreational Vehicles, Inc.
