> Dennis Clarke wrote: >>> Hi, >>> >>> Just out of curiosity I ran this on my home PC while logged into JDS: >>> >>> netstat -an | grep LISTEN >>> >> >> I think that ipfilter does a nice job of dealing with that. I generally >> configure ipfilter by default and only allow in ( or out ) the packets >> that I want, from where I want and to where I want. >> >> That's the best way I think. >> > > True. It should make sense for the installer to provide the ability > to enable > pre-canned basic IPfilter rules - discussion for another list.
Well, I figure that if a system boots with nothing but sshd listening then that is a good start. What I find very odd is that the LOM on most of the SunFire x86 gear provides ssh support while the UltraSparc units are clear text telnet to their LOM. To me that is a far greater security concern. For the most part people do access the LOM on a V210/V240 etc via a separate subnet that is no where "near" the production world but you just never know. I find the very idea of submitting a root password to my console over telnet in the clear as totally unacceptable under ALL circumstances. A truckload of GNOME stuff with ports open .. not too too bad with ipfilter engaged. In any case ... you are correct .. this is somewhat OT here. Dennis
