Date: Mon, 22 Nov 1999 11:59:51 -0500 (EST) From: James Gill <gill@topsecret.net> To: "Jeroen C. van Gelderen" <jeroen@vangelderen.org> Cc: Craig Garner <xrayu@home.com>, Eivind Eklund <eivind@FreeBSD.ORG>, Nate Williams <nate@mt.sri.com>, Matthew Dillon <dillon@apollo.backplane.com>, security@FreeBSD.ORG Subject: Re: Disabling FTP Message-ID: <Pine.BSF.4.10.9911221114340.2830-100000@pacific.int.topsecret.net> In-Reply-To: <38391B04.9F5FD39D@vangelderen.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Some very compelling arguments in this discussion. The only undisputed solution seems to be a question in the setup program about if you want default services installed. This discussion seems to bring out a pair of issues for consideration: 1) shutting all services off by default and 2) brand-newbie level documentation describing what to do in the first 24 hours after install for a sound and secure and reliable system is lacking. On Mon, 22 Nov 1999, Jeroen C. van Gelderen wrote: ->James Gill wrote: ->> As a relative newbie, having ftpd on by default makes perfect sense. -> ->Are you saying that you cannot manually enable ftpd if you need it? Yes. First sencence, fourth word: newbie. Newbie to FreeBSD, newbie to unix. I'm not a numbskull, I'm just not yet oriented to the environment. -> ->> Few newbies are going to be building a machine to place into ->> mission-critical service that day. -> ->Good for them, but it's not the newbies we primarily target methinks. -> tell that to -advocacy. ->> I would venture that most folks play around with FreeBSD on a scratch ->> system (sandbox? ;-)) for at least a little while first. I use FTP ->> between systems regualrly and having cleartext passwords on the LAN ->> isn't a *huge* issue in most cases... -> ->Exactly, so you can just *enable* ftpd while you are munging with the ->config. This renders the box insecure but at least you explicitly ->authorized the act of enabling. -> ->Isn't muning configuration files the first thing you do when you ->install a FreeBSD box? It is for me. -> Once I got FreeBSD installed the first thing I wanted to know was how to make it do what I wanted it to do. So I started learning how to config my account, mail tools, desktop, and eventually DNS. Somewhere after that comes Mail (Qmail methinks), Webserver (Apache), and then maybe an FTP server (?). I have yet to touch the inetd.conf but I have used FTP daily to transfer files between boxes. The earlier argument to turn off *all* services and let folks learn how to turn on everything one by one works best here. If you're not going to make it so that a fresh install performs a baseline of assumed services, shut them all off and force a little RTFM. Admittedly, I hadn't bothered to doso regarding the ftpd I am running by default (but again, i'm not running it on a publicly accessable system). ->> That said, the person who first installs FreeBSD and wants to move ->> files around who has to go in and figure out how to turn on ftpd ->> is probably going to get _very_ frustrated. -> ->So? He's supposed to read the documentation or telnet to port 20/21 ->or start with Linux first. -> ->> Especially when coming from a MS background in a plug-n-play ->> world...converting these people is a gradual process, and throwing ->> them in and expecting them to understand the underlying unix ->> philosophies that are so different from the world they come from ->> is going to cause more harm than good. -> ->People expect UNIX to be secure, so this argument doesn't really ->hold, does it? -> I see that we have different approaches here. You would crack the docs before trying anything, I would try it and see if it worked already. Generally, for me, reading the docs or manpages without a concept of what I'm looking for just makes me more confused than ever. As for starting with Linux, well, I did but per numerous discussions I've seen in -questions over the last few months, the install didn't go well and once I got things installed I couldn't figure out how or what to do and eventually gave up for a couple of years. If someone doesn't know to/how/what to edit in inetd.conf, why would they know to telnet to port 20/21? And while people do expect this OS to be secure, I would venture that more people expect it to be *functional*. And if what I've said seems largely ridiculous, it is probably less of a technical issue and more of a social one: http://www.theonion.com/onion3542/aurora_tekken3.html Sadly, my world is microwaves and McDonalds and FedEx and not mom's winter chili. --gill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9911221114340.2830-100000>