On Tue, Sep 30, 2003 at 04:30:44PM +0200, Javier Fernández-Sanguino Peña wrote:
Wrong. The kernel shipped in Debian does provide firewalling capabilities.
Also, the iptables package is part of the default installation (Priority:
standard)
No, right. There is no configuration provided, making t
On Mon, Sep 29, 2003 at 12:06:43AM -0400, Phillip Hofmeister wrote:
> I would consider implementing an iptables firewall (whether it be
> shorewall or home brewed (if you know what you are doing)) to be a bare
> minimum for best-practices.
>
> Unfortunately (unlike RedHat and Mandrake) Debian offe
On Tue, Sep 30, 2003 at 04:30:44PM +0200, Javier Fernández-Sanguino Peña wrote:
Wrong. The kernel shipped in Debian does provide firewalling capabilities.
Also, the iptables package is part of the default installation (Priority:
standard)
No, right. There is no configuration provided, making them
On Mon, Sep 29, 2003 at 12:06:43AM -0400, Phillip Hofmeister wrote:
> I would consider implementing an iptables firewall (whether it be
> shorewall or home brewed (if you know what you are doing)) to be a bare
> minimum for best-practices.
>
> Unfortunately (unlike RedHat and Mandrake) Debian offe
On Tue, Sep 30, 2003 at 08:51:45AM +0200, Detlef Johanning wrote:
> >My business is just like yours. Since I've always managed the
> >/etc/rc?.d directories by hand the [trivial] solutuin for me
> >is to remove the symlinks the install scripts create. You can
> >also use update-rc or whatever Deb
On Tue, Sep 30, 2003 at 08:51:45AM +0200, Detlef Johanning wrote:
> >My business is just like yours. Since I've always managed the
> >/etc/rc?.d directories by hand the [trivial] solutuin for me
> >is to remove the symlinks the install scripts create. You can
> >also use update-rc or whatever Deb
At 16:14 29.09.2003, you wrote:
On Mon, Sep 29, 2003 at 11:02:53AM
+0100, Dale Amon wrote:
>
> There is another common case I'd not mentioned. Since I do a
lot
> of development work, I tend to have a *lot* of servers
installed
> on my laptop, ready to run, but only when I need them. I do
this
>
At 16:14 29.09.2003, you wrote:
On Mon, Sep 29, 2003 at 11:02:53AM
+0100, Dale Amon wrote:
>
> There is another common case I'd not mentioned. Since I do a
lot
> of development work, I tend to have a *lot* of servers
installed
> on my laptop, ready to run, but only when I need them. I do
this
>
On Mon, Sep 29, 2003 at 11:02:53AM +0100, Dale Amon wrote:
>
> There is another common case I'd not mentioned. Since I do a lot
> of development work, I tend to have a *lot* of servers installed
> on my laptop, ready to run, but only when I need them. I do this
> entirely manually at present. I'd
On Mon, Sep 29, 2003 at 11:02:53AM +0100, Dale Amon wrote:
>
> There is another common case I'd not mentioned. Since I do a lot
> of development work, I tend to have a *lot* of servers installed
> on my laptop, ready to run, but only when I need them. I do this
> entirely manually at present. I'd
On Mon, Sep 29, 2003 at 12:06:43AM -0400, Phillip Hofmeister wrote:
> On Fri, 26 Sep 2003 at 12:53:26PM -0400, Dale Amon wrote:
> > Precisely. One cannot just install the packages and services
> > one wants. One must step outside the package system to fix
> > the problem, and continue to do so the
On Mon, Sep 29, 2003 at 12:06:43AM -0400, Phillip Hofmeister wrote:
> On Fri, 26 Sep 2003 at 12:53:26PM -0400, Dale Amon wrote:
> > Precisely. One cannot just install the packages and services
> > one wants. One must step outside the package system to fix
> > the problem, and continue to do so the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 26 Sep 2003 at 12:53:26PM -0400, Dale Amon wrote:
> Precisely. One cannot just install the packages and services
> one wants. One must step outside the package system to fix
> the problem, and continue to do so thereafter in the future.
>
> A
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, 26 Sep 2003 at 12:53:26PM -0400, Dale Amon wrote:
> Precisely. One cannot just install the packages and services
> one wants. One must step outside the package system to fix
> the problem, and continue to do so thereafter in the future.
>
> A
On Fri, Sep 26, 2003 at 04:29:45AM -0300, Peter Cordes wrote:
> On Fri, Sep 26, 2003 at 12:51:35AM -0400, Matt Zimmerman wrote:
> > What is so difficult? No web server is installed by default. If you don't
> > want one, don't install one.
>
> Dependencies.
Exactly. Please, please make freshl
On Fri, Sep 26, 2003 at 04:29:45AM -0300, Peter Cordes wrote:
> On Fri, Sep 26, 2003 at 12:51:35AM -0400, Matt Zimmerman wrote:
> > What is so difficult? No web server is installed by default. If you don't
> > want one, don't install one.
>
> Dependencies.
Exactly. Please, please make freshl
Hi *,
Matt Zimmerman écrivait :
> Having a web server listen on a particular interface should not be
> controlled by whether or not a particular package is installed.
> It should be controlled by the configuration of the package.
What about giving this configuration a default value taken
In article <[EMAIL PROTECTED]> you wrote:
> We can see it the other way: why bother the user with the details
> of running a service if the clued ones can easily stop or disable
> the installed daemons until they are configured properly?
We scare because we care.
Greetings
Bernd
--
eckes privat
Hi *,
Matt Zimmerman écrivait :
> Having a web server listen on a particular interface should not be
> controlled by whether or not a particular package is installed.
> It should be controlled by the configuration of the package.
What about giving this configuration a default value taken
In article <[EMAIL PROTECTED]> you wrote:
> We can see it the other way: why bother the user with the details
> of running a service if the clued ones can easily stop or disable
> the installed daemons until they are configured properly?
We scare because we care.
Greetings
Bernd
--
eckes privat
On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote:
>
> At high security levels, any new services that get installed (from RPMs)
> are only allowed from localhost or even, IIRC, services may not even
> be started by default, neither post-install nor on reboot: you have to
> set them up man
On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote:
>
> At high security levels, any new services that get installed (from RPMs)
> are only allowed from localhost or even, IIRC, services may not even
> be started by default, neither post-install nor on reboot: you have to
> set them up man
On Fri, Sep 26, 2003 at 09:37:22PM +0200, Marcin Owsiany wrote:
> On Fri, Sep 26, 2003 at 02:06:01PM -0400, Matt Zimmerman wrote:
> > He wants the service, he just wants it only for local use. That is not
> > something that should be handled at the package level.
>
> Why not? The boot-floppies a
On Fri, Sep 26, 2003 at 02:06:01PM -0400, Matt Zimmerman wrote:
> He wants the service, he just wants it only for local use. That is not
> something that should be handled at the package level.
Why not? The boot-floppies already set the locale for the whole system.
I think it would be nice if the
On Fri, Sep 26, 2003 at 09:37:22PM +0200, Marcin Owsiany wrote:
> On Fri, Sep 26, 2003 at 02:06:01PM -0400, Matt Zimmerman wrote:
> > He wants the service, he just wants it only for local use. That is not
> > something that should be handled at the package level.
>
> Why not? The boot-floppies a
In article <[EMAIL PROTECTED]> you wrote:
> Until installing a package has the side effect of installing a network
> service. Having a default-deny-incoming firewall or some such would go a
> long way toward preventing accidental vulnerability exposure.
On the other hand this pretty much sounds li
On Fri, Sep 26, 2003 at 02:06:01PM -0400, Matt Zimmerman wrote:
> He wants the service, he just wants it only for local use. That is not
> something that should be handled at the package level.
Why not? The boot-floppies already set the locale for the whole system.
I think it would be nice if the
On Fri, Sep 26, 2003 at 05:52:54PM +0100, Dale Amon wrote:
> On Fri, Sep 26, 2003 at 10:44:21AM -0400, Matt Zimmerman wrote:
> > On Fri, Sep 26, 2003 at 02:52:27PM +0100, David Wright wrote:
> > > Where does one go from here?
> >
> > If you only want the web server for reading documentation, reco
In article <[EMAIL PROTECTED]> you wrote:
> Until installing a package has the side effect of installing a network
> service. Having a default-deny-incoming firewall or some such would go a
> long way toward preventing accidental vulnerability exposure.
On the other hand this pretty much sounds li
On Fri, Sep 26, 2003 at 10:44:21AM -0400, Matt Zimmerman wrote:
> On Fri, Sep 26, 2003 at 02:52:27PM +0100, David Wright wrote:
> > Where does one go from here?
>
> If you only want the web server for reading documentation, reconfigure the
> web server to only listen on localhost.
Precisely. One
On Fri, Sep 26, 2003 at 05:52:54PM +0100, Dale Amon wrote:
> On Fri, Sep 26, 2003 at 10:44:21AM -0400, Matt Zimmerman wrote:
> > On Fri, Sep 26, 2003 at 02:52:27PM +0100, David Wright wrote:
> > > Where does one go from here?
> >
> > If you only want the web server for reading documentation, reco
On Fri, Sep 26, 2003 at 10:44:21AM -0400, Matt Zimmerman wrote:
> On Fri, Sep 26, 2003 at 02:52:27PM +0100, David Wright wrote:
> > Where does one go from here?
>
> If you only want the web server for reading documentation, reconfigure the
> web server to only listen on localhost.
Precisely. One
On Fri, Sep 26, 2003 at 02:52:27PM +0100, David Wright wrote:
> Quoting Matt Zimmerman ([EMAIL PROTECTED]):
> > > It can be damnably difficult to dump the web server... I've ended
> > > up downloading dhttpd and then removing links or changing the
> > > init.d/dhttpd file name.
> >
> > What is so
David Wright <[EMAIL PROTECTED]> writes:
> Quoting Matt Zimmerman ([EMAIL PROTECTED]):
>> On Wed, Sep 24, 2003 at 09:54:05PM +0100, Dale Amon wrote:
>> > On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
>> > > For starters, I think portmap, rpc.statd, and inetd should not run by
Quoting Matt Zimmerman ([EMAIL PROTECTED]):
> On Wed, Sep 24, 2003 at 09:54:05PM +0100, Dale Amon wrote:
>
> > On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
> > > For starters, I think portmap, rpc.statd, and inetd should not run by
> > > default. Not running a mail server (o
On Fri, Sep 26, 2003 at 02:52:27PM +0100, David Wright wrote:
> Quoting Matt Zimmerman ([EMAIL PROTECTED]):
> > > It can be damnably difficult to dump the web server... I've ended
> > > up downloading dhttpd and then removing links or changing the
> > > init.d/dhttpd file name.
> >
> > What is so
David Wright <[EMAIL PROTECTED]> writes:
> Quoting Matt Zimmerman ([EMAIL PROTECTED]):
>> On Wed, Sep 24, 2003 at 09:54:05PM +0100, Dale Amon wrote:
>> > On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
>> > > For starters, I think portmap, rpc.statd, and inetd should not run by
On Fri, Sep 26, 2003 at 04:29:45AM -0300, Peter Cordes wrote:
> On Fri, Sep 26, 2003 at 12:51:35AM -0400, Matt Zimmerman wrote:
> > What is so difficult? No web server is installed by default. If you don't
> > want one, don't install one.
>
> Dependencies. I've had the same annoying experienc
Quoting Matt Zimmerman ([EMAIL PROTECTED]):
> On Wed, Sep 24, 2003 at 09:54:05PM +0100, Dale Amon wrote:
>
> > On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
> > > For starters, I think portmap, rpc.statd, and inetd should not run by
> > > default. Not running a mail server (o
On Fri, Sep 26, 2003 at 04:29:45AM -0300, Peter Cordes wrote:
> On Fri, Sep 26, 2003 at 12:51:35AM -0400, Matt Zimmerman wrote:
> > What is so difficult? No web server is installed by default. If you don't
> > want one, don't install one.
>
> Dependencies. I've had the same annoying experienc
On Thu, Sep 25, 2003 at 06:05:13PM -0400, Michael Stone wrote:
> That's been the policy, but's it's stupid nowadays. It's too easy to
> pull in an unexpected service when installing something with all the
> tasks and dependency chains. There needs to be a mode where a user can
> say, "I don't want
On Thu, Sep 25, 2003 at 06:05:13PM -0400, Michael Stone wrote:
> That's been the policy, but's it's stupid nowadays. It's too easy to
> pull in an unexpected service when installing something with all the
> tasks and dependency chains. There needs to be a mode where a user can
> say, "I don't want
On Thu, Sep 25, 2003 at 07:33:00AM -0700, Adam Lydick wrote:
> I like that idea, and it sounds fairly simple - packages just check
> /etc/secure_level (or something similar) and do the "right thing". The
> tricky part is convincing every package maintainer to adopt it ;)
Well, Mandrake packages II
On Fri, Sep 26, 2003 at 12:51:35AM -0400, Matt Zimmerman wrote:
> On Wed, Sep 24, 2003 at 09:54:05PM +0100, Dale Amon wrote:
> > It can be damnably difficult to dump the web server... I've ended
> > up downloading dhttpd and then removing links or changing the
> > init.d/dhttpd file name.
>
> What
On Thu, Sep 25, 2003 at 07:33:00AM -0700, Adam Lydick wrote:
> I like that idea, and it sounds fairly simple - packages just check
> /etc/secure_level (or something similar) and do the "right thing". The
> tricky part is convincing every package maintainer to adopt it ;)
Well, Mandrake packages II
On Fri, Sep 26, 2003 at 12:51:35AM -0400, Matt Zimmerman wrote:
> On Wed, Sep 24, 2003 at 09:54:05PM +0100, Dale Amon wrote:
> > It can be damnably difficult to dump the web server... I've ended
> > up downloading dhttpd and then removing links or changing the
> > init.d/dhttpd file name.
>
> What
On Thu, Sep 25, 2003 at 12:34:34PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
> The "base" installation is partially decided by the priority of the package
> ('required', 'important', 'standard', 'optional', 'extra'). The
> archive maintainers have the final word (that is the 'ftp.debian.org'
On Wed, Sep 24, 2003 at 09:54:05PM +0100, Dale Amon wrote:
> On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
> > For starters, I think portmap, rpc.statd, and inetd should not run by
> > default. Not running a mail server (or perhaps only running one on the
> > loopback interfa
On Thu, Sep 25, 2003 at 12:34:34PM +0200, Javier Fern?ndez-Sanguino Pe?a wrote:
> The "base" installation is partially decided by the priority of the package
> ('required', 'important', 'standard', 'optional', 'extra'). The
> archive maintainers have the final word (that is the 'ftp.debian.org'
On Wed, Sep 24, 2003 at 09:54:05PM +0100, Dale Amon wrote:
> On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
> > For starters, I think portmap, rpc.statd, and inetd should not run by
> > default. Not running a mail server (or perhaps only running one on the
> > loopback interfa
On Thu, Sep 25, 2003 at 12:34:34PM +0200, Javier Fernández-Sanguino Peña wrote:
The compromise in Debian has always been that a service that gets installed
will be executed in a minimum configuration, if you don't want it, don't
install it or remove it.
That's been the policy, but's it's stupi
On Thu, Sep 25, 2003 at 12:34:34PM +0200, Javier Fernández-Sanguino Peña wrote:
The compromise in Debian has always been that a service that gets installed
will be executed in a minimum configuration, if you don't want it, don't
install it or remove it.
That's been the policy, but's it's stupid n
Javier Fernández-Sanguino Peña schrieb:
On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
For starters, I think portmap, rpc.statd, and inetd should not run by
default. Not running a mail server (or perhaps only running one on the
loopback interface) would be nice, too.
A m
On Thu, Sep 25, 2003 at 08:19:43AM +0200, Stefano Salvi wrote:
> I think thisi is not wise:
Only because you misunderstand my idea.
> - Why I must have services installed that I cannot use (are not started by
> default)?
I didn't say anything about not starting by default. I said that they
wou
Javier Fernández-Sanguino Peña schrieb:
On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
For starters, I think portmap, rpc.statd, and inetd should not run by
default. Not running a mail server (or perhaps only running one on the
loopback interface) would be nice, too.
A mail s
On Thu, Sep 25, 2003 at 08:19:43AM +0200, Stefano Salvi wrote:
> I think thisi is not wise:
Only because you misunderstand my idea.
> - Why I must have services installed that I cannot use (are not started by
> default)?
I didn't say anything about not starting by default. I said that they
wou
On Thu, Sep 25, 2003 at 07:48:00AM -0700, Adam Lydick wrote:
> I haven't done more then look at the screen shots for it, but the
> "personal firewall" (eg: iptables frontend) that comes with RH9 looks to
> be default deny for most incoming traffic while providing a nice (read:
> graphical and strai
On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
> >
> > What about a package like the harden-* package, but one that conflicts
> > with packages that are pointless for a client/desktop system?
>
> Unless such a package is part of the standard installation, it's really
> of no u
On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:
> Is there any effort to reduce the number of services running on a
> default debian install? For example: a typical workstation user doesn't
> really need to have inetd enabled, nor portmap (unless they are running
> fam or nfs -- which
On Thu, Sep 25, 2003 at 07:48:00AM -0700, Adam Lydick wrote:
> I haven't done more then look at the screen shots for it, but the
> "personal firewall" (eg: iptables frontend) that comes with RH9 looks to
> be default deny for most incoming traffic while providing a nice (read:
> graphical and strai
On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
> >
> > What about a package like the harden-* package, but one that conflicts
> > with packages that are pointless for a client/desktop system?
>
> Unless such a package is part of the standard installation, it's really
> of no u
On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:
> Is there any effort to reduce the number of services running on a
> default debian install? For example: a typical workstation user doesn't
> really need to have inetd enabled, nor portmap (unless they are running
> fam or nfs -- which
On Thu, 2003-09-25 at 03:19, Stefano Salvi wrote:
> At 22.16 24/09/03 -0400, Noah L. Meyerhans wrote:
> >How 'bout this idea: We can create a user-definable policy as to whether
> >or not newly installed packages that provide init scripts actually have
> >these init scripts run during their post
At 22.16 24/09/03 -0400, Noah L. Meyerhans wrote:
How 'bout this idea: We can create a user-definable policy as to whether
or not newly installed packages that provide init scripts actually have
these init scripts run during their postinst. So, we have a file in
/etc/defaults or something that i
I haven't done more then look at the screen shots for it, but the
"personal firewall" (eg: iptables frontend) that comes with RH9 looks to
be default deny for most incoming traffic while providing a nice (read:
graphical and straightforward) way to punch essential holes through it
as needed. (and o
I like that idea, and it sounds fairly simple - packages just check
/etc/secure_level (or something similar) and do the "right thing". The
tricky part is convincing every package maintainer to adopt it ;)
There are some "hardening" packages available, but I haven't had a
chance to play with them y
Agreed. The X maintainers (as one example) started doing that a while
back. I run exim and a few other services like this (manually
configured, sadly).
On Wed, 2003-09-24 at 15:04, Florian Weimer wrote:
> On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:
>
> > Is there any effort to r
On Thu, 2003-09-25 at 03:19, Stefano Salvi wrote:
> At 22.16 24/09/03 -0400, Noah L. Meyerhans wrote:
> >How 'bout this idea: We can create a user-definable policy as to whether
> >or not newly installed packages that provide init scripts actually have
> >these init scripts run during their post
At 22.16 24/09/03 -0400, Noah L. Meyerhans wrote:
How 'bout this idea: We can create a user-definable policy as to whether
or not newly installed packages that provide init scripts actually have
these init scripts run during their postinst. So, we have a file in
/etc/defaults or something that is
I haven't done more then look at the screen shots for it, but the
"personal firewall" (eg: iptables frontend) that comes with RH9 looks to
be default deny for most incoming traffic while providing a nice (read:
graphical and straightforward) way to punch essential holes through it
as needed. (and o
I like that idea, and it sounds fairly simple - packages just check
/etc/secure_level (or something similar) and do the "right thing". The
tricky part is convincing every package maintainer to adopt it ;)
There are some "hardening" packages available, but I haven't had a
chance to play with them y
Agreed. The X maintainers (as one example) started doing that a while
back. I run exim and a few other services like this (manually
configured, sadly).
On Wed, 2003-09-24 at 15:04, Florian Weimer wrote:
> On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:
>
> > Is there any effort to r
@lists.debian.org
Subject: services installed and running "out of the box"
Is there any effort to reduce the number of services running on a
default debian install? For example: a typical workstation user doesn't
really need to have inetd enabled, nor portmap (unless they are running
fam
On Wed, Sep 24, 2003 at 09:52:07PM -0400, Michael Stone wrote:
> Except, what is "default"? If you install a workstation task should you
> assume that you'll get open ports? (As the task packages pull in
> dependencies, etc.) I think it makes more sense to provide a safety net
> then to try to pred
On Wed, Sep 24, 2003 at 09:39:32PM -0400, Noah L. Meyerhans wrote:
Well, remember that the scope of this discussion is the default Debian
installation.
Except, what is "default"? If you install a workstation task should you
assume that you'll get open ports? (As the task packages pull in
depend
On Wed, Sep 24, 2003 at 09:01:26PM -0400, Michael Stone wrote:
> Until installing a package has the side effect of installing a network
> service. Having a default-deny-incoming firewall or some such would go a
> long way toward preventing accidental vulnerability exposure.
Well, remember that the
On Thu, 25 Sep 2003 12:16, Noah L. Meyerhans wrote:
> On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote:
> > For what its worth, and without wanting a distro-religious war about it,
> > Mandrake has a variety of security levels, which can be locally
> > configured, and which can allow exac
On Wed, Sep 24, 2003 at 08:16:41PM -0400, Noah L. Meyerhans wrote:
Basically, I think that "security levels" don't gain you anything over
"don't install the package".
Until installing a package has the side effect of installing a network
service. Having a default-deny-incoming firewall or som
]
Subject: services installed and running "out of the box"
Is there any effort to reduce the number of services running on a
default debian install? For example: a typical workstation user doesn't
really need to have inetd enabled, nor portmap (unless they are running
fam or nfs -- which i
On Wed, Sep 24, 2003 at 09:52:07PM -0400, Michael Stone wrote:
> Except, what is "default"? If you install a workstation task should you
> assume that you'll get open ports? (As the task packages pull in
> dependencies, etc.) I think it makes more sense to provide a safety net
> then to try to pred
On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote:
> For what its worth, and without wanting a distro-religious war about it,
> Mandrake has a variety of security levels, which can be locally configured,
> and which can allow exactly this sort of behavior;
Honestly, I think we can get awa
On Wed, Sep 24, 2003 at 09:39:32PM -0400, Noah L. Meyerhans wrote:
Well, remember that the scope of this discussion is the default Debian
installation.
Except, what is "default"? If you install a workstation task should you
assume that you'll get open ports? (As the task packages pull in
dependenci
On Wed, Sep 24, 2003 at 09:01:26PM -0400, Michael Stone wrote:
> Until installing a package has the side effect of installing a network
> service. Having a default-deny-incoming firewall or some such would go a
> long way toward preventing accidental vulnerability exposure.
Well, remember that the
For what its worth, and without wanting a distro-religious war about it,
Mandrake has a variety of security levels, which can be locally configured,
and which can allow exactly this sort of behavior;
At high security levels, any new services that get installed (from RPMs)
are only allowed from loc
On Thu, 25 Sep 2003 12:16, Noah L. Meyerhans wrote:
> On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote:
> > For what its worth, and without wanting a distro-religious war about it,
> > Mandrake has a variety of security levels, which can be locally
> > configured, and which can allow exac
On Wed, Sep 24, 2003 at 08:16:41PM -0400, Noah L. Meyerhans wrote:
Basically, I think that "security levels" don't gain you anything over
"don't install the package".
Until installing a package has the side effect of installing a network
service. Having a default-deny-incoming firewall or some su
On Thu, Sep 25, 2003 at 11:12:28AM +1200, Steve Wray wrote:
> For what its worth, and without wanting a distro-religious war about it,
> Mandrake has a variety of security levels, which can be locally configured,
> and which can allow exactly this sort of behavior;
Honestly, I think we can get awa
On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:
> Is there any effort to reduce the number of services running on a
> default debian install? For example: a typical workstation user doesn't
> really need to have inetd enabled, nor portmap (unless they are running
> fam or nfs -- which
For what its worth, and without wanting a distro-religious war about it,
Mandrake has a variety of security levels, which can be locally configured,
and which can allow exactly this sort of behavior;
At high security levels, any new services that get installed (from RPMs)
are only allowed from loc
On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:
> Is there any effort to reduce the number of services running on a
> default debian install? For example: a typical workstation user doesn't
> really need to have inetd enabled, nor portmap (unless they are running
> fam or nfs -- which
On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
> For starters, I think portmap, rpc.statd, and inetd should not run by
> default. Not running a mail server (or perhaps only running one on the
> loopback interface) would be nice, too.
It can be damnably difficult to dump the we
On Wed, Sep 24, 2003 at 01:59:16PM -0500, Ryan Underwood wrote:
> > Is there any effort to reduce the number of services running on a
> > default debian install? For example: a typical workstation user doesn't
> > really need to have inetd enabled, nor portmap (unless they are running
> > fam or nf
On Wed, Sep 24, 2003 at 03:59:28PM -0400, Noah L. Meyerhans wrote:
> For starters, I think portmap, rpc.statd, and inetd should not run by
> default. Not running a mail server (or perhaps only running one on the
> loopback interface) would be nice, too.
It can be damnably difficult to dump the we
Hi,
On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:
> Is there any effort to reduce the number of services running on a
> default debian install? For example: a typical workstation user doesn't
> really need to have inetd enabled, nor portmap (unless they are running
> fam or nfs --
On Wed, Sep 24, 2003 at 01:59:16PM -0500, Ryan Underwood wrote:
> > Is there any effort to reduce the number of services running on a
> > default debian install? For example: a typical workstation user doesn't
> > really need to have inetd enabled, nor portmap (unless they are running
> > fam or nf
Hi,
On Wed, Sep 24, 2003 at 01:42:01PM -0700, Adam Lydick wrote:
> Is there any effort to reduce the number of services running on a
> default debian install? For example: a typical workstation user doesn't
> really need to have inetd enabled, nor portmap (unless they are running
> fam or nfs --
Is there any effort to reduce the number of services running on a
default debian install? For example: a typical workstation user doesn't
really need to have inetd enabled, nor portmap (unless they are running
fam or nfs -- which isn't enabled by default)
Is this something that needs to be taken u
Is there any effort to reduce the number of services running on a
default debian install? For example: a typical workstation user doesn't
really need to have inetd enabled, nor portmap (unless they are running
fam or nfs -- which isn't enabled by default)
Is this something that needs to be taken u
98 matches
Mail list logo
