> On Mon, Dec 07, 1998 at 01:10:01AM -0800, Javilk wrote:
> > Suggestions on other lists are to check your /etc/inetd.comf file,
> > turn off just about everything unless you are sure you need it. You don't
> > need shell, login, telnet, etc. in most cases if you do not have other
> > people log in to your machine. If you are not serving FTP, turn that off
> > too. Imapd has some security bug in it, so it should either be turned
> > off, or replaced if you really, really need it.
And then Rich Kulawiec writes:
> I second this recommendation. You should explicitly turn off every
> service that you don't need, which in part involves commenting things
This is something I've been dwelling on recently, mainly because
I spent a lot of hours last week trying to get SATAN working. SATAN
is a tool for detecting weaknesses in your network security. This got
me to thinking of the by-now-standard advice for security, which is to
turn off everything you don't explicitly want on.
Most Unix systems come with everything "on" by default. Most
UNIX systems are *not* administratable from a central, easy-to-use
tool, but if they were, it'd be nice to have a spot where you could
choose a level of security ranging from open to paranoid. Instead why
not have an active analog to SATAN, call it "LOCKDOWN", which, when
run, goes around doing all it can to configure a box for minimal
exposure?
It also reminded me of Dan Farmer's advice after his '97
"non-invasive penetration study", where he found that about 2/3 of the
high profile sites on the net (banks, gov't systems, etc) appeared to
be running stuff with known, exploitable security flaws. His paper
made the point that most often the security risk comes from many
different systems on one box, hence suggesting that high-profile sites
may want to separate different services out to separate boxes.
I like this idea for many reasons; redundancy, ease of upgrading
hardware for specific purposes, one service going down can't hose the
whole box, etc. But for most people it's impractical.
Steven J. Owens
[EMAIL PROTECTED]
(OpenBSD, I'm told by various folks, is more secure than Linux.
Exactly what that means and why is another question. One person
suggested to me that people claim that about OpenBSD because it's
statistically given less attention by crackers, and hence you don't
hear about it as often.)
____________________________________________________________________
--------------------------------------------------------------------
Join The Web Consultants Association : Register on our web site Now
Web Consultants Web Site : http://just4u.com/webconsultants
If you lose the instructions All subscription/unsubscribing can be done
directly from our website for all our lists.
---------------------------------------------------------------------
