On Fri, Jan 19, 2001 at 03:43:25PM -0800, Duane Clark wrote:
> John wrote:
> > > -----Original Message-----
> > > From: Duane Clark [mailto:[EMAIL PROTECTED]]
> > > Sent: Friday, January 19, 2001 2:54 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: Ramen worm
> > >
> > >
> > > For professional sys-admins caught by this, I would completely agree.
> > > But RH is also being sold to home users for home use, many of them
> > > complete Linux/unix newbies, and who are increasingly
> > > attaching them to
> > > DSL connections. So in my opinion, the default setup should
> > > be extremely
> > > restrictive, with virtually all services disabled. The
> > > professionals and
> > > more experienced Linux users should be capable of turning on the ones
> > > they want.
> > > Duane
> > Isn't that already the case if you simply do a workstation install? I just
> > took a quick glance over the comps file for RHL 6.2, and unless one
> > 'opts-in' for some of the server items, I think sendmail is about the only
> > server type app that gets installed.
> > John
> Well, of course the first part of my message was this quote:
> > > There are those who say that previous Red Hat releases were full of
> > > holes caused by the way Red Hat set things up in a default
> > > install... Welp... lemme repeat myself:
> Yes, the last two versions of RH were much better in this respect.
> Though I cannot imagine why a home user would want to run sendmail,
> which in the past did not have a very good reputation in the security
> department. Though I admit I have not kept current on the status of
> sendmail since I have not run it for several years.
Sendmail use to be called "the bug of the month club". That
was years ago and they have not been able to shake that reputation.
Now, I think Eric has it pretty solid. I trust it MORE than I trust
QMail (but that's another story). I've worked on (as in made code
contributions to) sendmail, mmdf, smail 2.x, and smail 3.x. I've
also run QMail and Postfix. I love Postfix. I detest QMail. Trying
to read the QMail source code gives me a headache. Sendmail is STILL
the workhorse that drives the networks I'm responsible for.
The "A number 1" WORST thing, security-wise, in the RedHat
install is the $#@$#@ "install everything" check-off. That's the
"don't push this button" lure that nails every idiot who doesn't know
what he wants to install so he figures this will get what he wants.
RedHat 6.2 was still installing rsh and rlogin for God's sake.
They also had empty (i.e. insecure) hosts.allow and hosts.deny. At
least they DID plug in decent values for /etc/securetty and start
adding lsof to the install, so they ARE getting better with time. At
one point, Bastille on top of RedHat was the only reasonable starting
point I would recommend for anyone. RedHat 7.0 is better (hey, they
even put in xinetd) but still not great and it's so unstable that of the
three installations we've tried, one got jerked in under a day and the
others lasted less than a month before "upgrading" to 6.2 and clamping
down on the security. I wouldn't put 7.0 in a production system at
this point.
At one point Turbo Linux was making a valient effort at being
more of a security conscientious distribution. (Note: In this and
in one of my previous messages I explicitly use the term "was" on purpose.
The "past tense" is deliberate and intentional. They've gone down hill
since the departure of John Terpstra, though I don't know if that's
related.) For a long time, they have been reasonably secure OOB (Out
Of the Box) and you had to go to some effort to make them insecure.
They were roughly on the same level as "RedHat + Bastille" and having
a Workstation CD and Server CD was a plus (the workstation didn't even
turn on sendmail as a service). There are other distros better on the
security front than RedHat.
But RedHat IS making improvements, no arguement there. They just
really REALLY need to take to heart that you make it secure as possible
out of the box and let the user make it less secure. You NEVER let the
defaults be insecure and require the user/administrator work to make
it more secure.
Historically, the RedHat .1 releases have been security disasters.
If you look at 4.1, 5.1, and 6.1, each have been referred to as "a network
OS from hell" in the security community. I hope to God that 7.1 does not
follow suit.
Time will tell.
> Duane
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
