From owner-freebsd-security Thu Sep 21 17:33:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id A621E37B443 for ; Thu, 21 Sep 2000 17:33:35 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id SAA29812; Thu, 21 Sep 2000 18:33:04 -0600 (MDT) Message-Id: <4.3.2.7.2.20000921182152.046d6ee0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 21 Sep 2000 18:32:48 -0600 To: Wes Peters , nbm@mithrandr.moria.org From: Brett Glass Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Cc: security@freebsd.org In-Reply-To: <39CA8E45.7DA45048@softweyr.com> References: <99016.969437392@winston.osd.bsdi.com> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 04:40 PM 9/21/2000, Wes Peters wrote: >Brett, did it ever occur to you THESE ARE THE DEFAULTS because MOST PEOPLE >WANT THEM THAT WAY? Most people who install FreeBSD just want telnet, mail, >and NFS to work, IMHO: Telnet is dangerous and should be disabled now that SSH is in common use and is not encumbered by patents. sshd should be on unless the user asks for it not to be. (He or she should still be asked.) Mail should be an option that defaults to "on" but lets the user ask that it not be activated at install time. Many of us like to reconfigure before turning it on. And others will be using FreeBSD as a workstation and will be using an e-mail client.... Sendmail doesn't need to be running. As for NFS: I would take issue with the assertion that most people want it on. Also, last time I checked the default install of FreeSBD turned on /sbin/portmap even if the user explicitly asks for no NFS! This is unnecessary and is a security breach just waiting to happen. >they don't want to spend hours agonizing over the configuration >of every single computer they install. I wind up spending hours agonizing over the configuration of every FreeBSD install I do, because I have to turn off many of the defaults which could potentially compromise security or waste resources. >They rely on firewalls, prayer, or >abject cluelessness to secure their systems, and that's just fine. Windows users do that. FreeBSD users should have it better. >Have you considered using OpenBSD? It does install with a more secure (i.e. >"doesn't work for most people") configuration out of the box. I have not only considered it -- I've used it quite a bit. On the table next to me are machines with the latest releases of FreeBSD, NetBSD, and OpenBSD. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message