From owner-freebsd-security  Mon Jul 27 16:55:47 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA12915
          for freebsd-security-outgoing; Mon, 27 Jul 1998 16:55:47 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA12727;
          Mon, 27 Jul 1998 16:54:38 -0700 (PDT)
          (envelope-from brett@lariat.org)
Received: (from brett@localhost)
	by lariat.lariat.org (8.8.8/8.8.8) id RAA01585;
	Mon, 27 Jul 1998 17:54:03 -0600 (MDT)
Message-Id: <199807272354.RAA01585@lariat.lariat.org>
X-Sender: brett@mail.lariat.org
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 
Date: Mon, 27 Jul 1998 17:22:07 -0600
To: "Jan B. Koum " <jkb@best.com>
From: Brett Glass <brett@lariat.org>
Subject: Re: FreeBSD Security How-To (Was: QPopper exploit)
Cc: chat@FreeBSD.ORG, security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.3.96.980727160713.8287A-100000@shell6.ba.best.com
 >
References: <199807272300.RAA00688@lariat.lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 04:11 PM 7/27/98 -0700, Jan B. Koum wrote:
 
>	Hello all,
>
>	Since the secret is out now on freebsd-security .. I have been
>working on FreeBSD Security How-To for the last few weeks. It is still in
>beta and I hope to get more comments from people on -security.
>	It is currently at www.best.com/~jkb/howto.txt
>	No kernel hacking -- just basic steps users can take to secure
>their workstations, server, etc. I'd like any comments, feedback or
>suggestions from -chat also. (yes, I'll soon have html also for those of
>you who can't stand ascii).
>
>-- Yan

I'd like to commend Jan on this effort. 

I do think that the section on eliminating inetd needs some fleshing out,
though. Some servers, such as all of the POP3 daemons I've tried, don't
seem to admit themselves to being run except from inetd. Also, the section
should discuss the dangers of having a server die without any automatic
means to resuscitate it. For example, the docs for identd warn against
running it without inetd, since if it quits it will not be restarted.
Perhaps a utility that checks for the presence of servers and restarts them
if they've died could be developed as part of this effort and perhaps added
to the FreeBSD distribution.

Also, the section on ssh suggests running it without telling the user where
to find client software. Any recommendation for a secure service should
include information on how to obtain clients for all of the usual client
platforms (including -- yes -- Microsoft OSes).

--Brett



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message