begin Jeff Waugh quotation: > There's the default setup of the packages though - inetd and snmpd are > two good examples of non-good defaults in Debian packages.
Hmm. My Debian server's installation-default /etc/inetd.conf went in like this: #:INTERNAL: Internal services #echo stream tcp nowait root internal #echo dgram udp wait root internal #chargen stream tcp nowait root internal #chargen dgram udp wait root internal discard stream tcp nowait root internal discard dgram udp wait root internal daytime stream tcp nowait root internal #daytime dgram udp wait root internal time stream tcp nowait root internal #time dgram udp wait root internal #:STANDARD: These are standard services. #:BSD: Shell, login, exec and talk are BSD protocols. #:MAIL: Mail, news and uucp services. smtp stream tcp nowait mail /usr/sbin/exim exim -bs #:INFO: Info services #:BOOT: Tftp service is provided primarily for booting. Most sites # run this only on machines acting as "boot servers." #:RPC: RPC based services #:HAM-RADIO: amateur-radio services #:OTHER: Other services That's not bad. Of course, the default only lasted about five seconds. <grin> That's the result of that essential ingredient I mentioned. > Every distro has this issue, it's a tough one to get right. I leave this debate for those who're obliged to worry about systems lacking the essential ingredient. Any alert sysadmin will only run the services he's decided on running, have installed only CGI scripts he's checked and decided he needs, etc. If you want a system that installs with all possible services firmly disabled by default, use OpenBSD. But I personally found that approach to be ludicrous and a pain in the neck. I haven't used SNMP lately, so can't check to see what you mean. The other matter, which I alluded to briefly, strikes me as more of a real issue: Why should a distribution offer for installatiion as default selections BIND v. 8, sendmail, and wu-ftpd, in this day and age? Those all have hideously bad security histories, can be expected to have ongoing problems, and I'd not use any of them. (Again, the alert sysadmin _can and will_ fix that, by yanking them out and replacing them with better-designed alternatives. But it's a nuisance.) -- "Is it not the beauty of an asynchronous form of discussion that one can go and make cups of tea, floss the cat, fluff the geraniums, open the kitchen window and scream out it with operatic force, volume, and decorum, and then return to the vexed glowing letters calmer of mind and soul?" -- The Cube, forum3000.org -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
