From owner-freebsd-security Fri Sep 22 11:12: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id CB39237B424 for ; Fri, 22 Sep 2000 11:11:58 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA08651; Fri, 22 Sep 2000 12:11:33 -0600 (MDT) Message-Id: <4.3.2.7.2.20000922120415.00c7bdc0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 22 Sep 2000 12:11:25 -0600 To: Dave McKay From: Brett Glass Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Cc: Wes Peters , nbm@mithrandr.moria.org, security@freebsd.org In-Reply-To: <20000922021207.A90466@elvis.mu.org> References: <4.3.2.7.2.20000921182152.046d6ee0@localhost> <99016.969437392@winston.osd.bsdi.com> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> <39CA8E45.7DA45048@softweyr.com> <4.3.2.7.2.20000921182152.046d6ee0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:12 AM 9/22/2000, Dave McKay wrote: >SSH is in common use? It is still third party on Linux and Windows, and >Solaris. So are Netscape Navigator, RealPlayer, etc. -- and everyone downloads them! The fact that Microsoft doesn't make one is, IMHO, a good thing. They'd probably insert their own less secure authentication schemes and turn them on by default -- or, worse yet, try to hijack the standard by introducing incompatibilities. > Telnet *IS* however installed by default on every major OS I can >think of. It should not be. It sends passwords in the clear. This is not acceptable on today's Internet. >> I wind up spending hours agonizing over the configuration of every >> FreeBSD install I do, because I have to turn off many of the defaults >> which could potentially compromise security or waste resources. > >This is not healthy. Editing /etc/inetd.conf and /etc/rc.conf shouldn't >take one hours, this sounds like a personal problem. Don't argue ad hominem; it doesn't strengthen your argument and in fact makes it suspect. The fact is that it really CAN take hours to reconfigure FreeBSD to secure it. This includes recompiling the kernel (to get IP Filter in there, save resources, turn off BPF, etc.), editing rc.conf, editing sshd.conf, and much more. >You'll have to forgive me, I don't subscribe to the netbsd or openbsd lists, >but do you suggest these ideas to *BSD? If everyone in the world was straw- >berry then no one would taste good. I fail to see your point. Security is good on ALL platforms, and if the defaults are good and options are offered it can save a great deal of time and frustration. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message