On Thu, July 28, 2005 1:25 pm, John Carter said: > On Thu, 28 Jul 2005, Nick Rout wrote: > >> I agree, people were critical when distros shipped with many service >> turned on. We cannot have it both ways. Although X11 is network >> friendly, >> most people in fact have very little use for this. The situation of >> server + X terminals is far less common than standalone X servers. (ie >> connecting only to clients on the same box). > > I call it concrete block security. > > It's secure because it does nothing useful. > > It's the wrong fix for the problem. For example access via ssh can be > turned off in so many places (sshd not installed, not enabled in > xinetd.conf, disabled in pam (several places), firewalled out,....) that > on some distro's it can be a day or two's effort to get it working. > (Especially since several things can be broken at once, debugging is > hard.) > > Apache is getting like that too. Everytime I install and tweak it, I have > to fight httpd.conf, xinetd.conf, firewall, security permissions at the > httpd level, security permissions at the unix level, security permissions > on every path element on the way to the document I want displayed and in > httpd directory security permissions. Sometimes I'm gently amazed it ever > works. I must admit to not using (x)inetd to start my web server or ssh, and leave them always on. You did miss the dns setup for virtual servers tho' (: > > Thus if everything is "off by default" the task of getting it to work can > be just too hard. Instead of Linux saving you time, configuring it around > paranoid security loses you time. I think this is where the difference should be made between using linux as a desktop or a server. For the former, I agree, but not for the latter. The time lost in manually configuring services in a server environment will be repair many times over, if only in piece of mind. > > All the services have good enough authentication mechanisms, but bugs in > the service permit security breaches. > > Thus the right fix is not to disable everything, but to fix the @^%# > bugs. I think that does imply perfection for the part of the coder, which also implies there aren't any bugs there in the first place! New bugs will always appear, as long as there are people in this world attempting to abuse the service. > > > > > John Carter Phone : (64)(3) 358 6639 > Tait Electronics Fax : (64)(3) 359 4632 > PO Box 1645 Christchurch Email : [EMAIL PROTECTED] > New Zealand > > Carter's Clarification of Murphy's Law. > > "Things only ever go right so that they may go more spectacularly wrong > later." > > From this principle, all of life and physics may be deduced. >
My $0.02, Steve PS. Anyone know where I can get an 18GB/10,000rpm SCSI disk for my Compaq DL360 ( or a bigger pair of disks ). My boot disk has just died. Proof you should never switch stuff off - listen to the ldots (: -- Windows: Where do you want to go today? MacOS: Where do you want to be tomorrow? Linux: Are you coming or what?
