From owner-freebsd-security Tue Nov 23 0: 1:45 1999 Delivered-To: freebsd-security@freebsd.org Received: from pacific.int.topsecret.net (gill.apk.net [207.54.148.62]) by hub.freebsd.org (Postfix) with ESMTP id B8F9514A2D; Tue, 23 Nov 1999 00:00:07 -0800 (PST) (envelope-from gill@topsecret.net) Received: from localhost (gill@localhost) by pacific.int.topsecret.net (8.9.3/8.9.3) with ESMTP id LAA02890; Mon, 22 Nov 1999 11:59:51 -0500 (EST) (envelope-from gill@topsecret.net) X-Authentication-Warning: pacific.int.topsecret.net: gill owned process doing -bs Date: Mon, 22 Nov 1999 11:59:51 -0500 (EST) From: James Gill X-Sender: gill@pacific.int.topsecret.net To: "Jeroen C. van Gelderen" Cc: Craig Garner , Eivind Eklund , Nate Williams , Matthew Dillon , security@FreeBSD.ORG Subject: Re: Disabling FTP In-Reply-To: <38391B04.9F5FD39D@vangelderen.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Some very compelling arguments in this discussion. The only undisputed solution seems to be a question in the setup program about if you want default services installed. This discussion seems to bring out a pair of issues for consideration: 1) shutting all services off by default and 2) brand-newbie level documentation describing what to do in the first 24 hours after install for a sound and secure and reliable system is lacking. On Mon, 22 Nov 1999, Jeroen C. van Gelderen wrote: ->James Gill wrote: ->> As a relative newbie, having ftpd on by default makes perfect sense. -> ->Are you saying that you cannot manually enable ftpd if you need it? Yes. First sencence, fourth word: newbie. Newbie to FreeBSD, newbie to unix. I'm not a numbskull, I'm just not yet oriented to the environment. -> ->> Few newbies are going to be building a machine to place into ->> mission-critical service that day. -> ->Good for them, but it's not the newbies we primarily target methinks. -> tell that to -advocacy. ->> I would venture that most folks play around with FreeBSD on a scratch ->> system (sandbox? ;-)) for at least a little while first. I use FTP ->> between systems regualrly and having cleartext passwords on the LAN ->> isn't a *huge* issue in most cases... -> ->Exactly, so you can just *enable* ftpd while you are munging with the ->config. This renders the box insecure but at least you explicitly ->authorized the act of enabling. -> ->Isn't muning configuration files the first thing you do when you ->install a FreeBSD box? It is for me. -> Once I got FreeBSD installed the first thing I wanted to know was how to make it do what I wanted it to do. So I started learning how to config my account, mail tools, desktop, and eventually DNS. Somewhere after that comes Mail (Qmail methinks), Webserver (Apache), and then maybe an FTP server (?). I have yet to touch the inetd.conf but I have used FTP daily to transfer files between boxes. The earlier argument to turn off *all* services and let folks learn how to turn on everything one by one works best here. If you're not going to make it so that a fresh install performs a baseline of assumed services, shut them all off and force a little RTFM. Admittedly, I hadn't bothered to doso regarding the ftpd I am running by default (but again, i'm not running it on a publicly accessable system). ->> That said, the person who first installs FreeBSD and wants to move ->> files around who has to go in and figure out how to turn on ftpd ->> is probably going to get _very_ frustrated. -> ->So? He's supposed to read the documentation or telnet to port 20/21 ->or start with Linux first. -> ->> Especially when coming from a MS background in a plug-n-play ->> world...converting these people is a gradual process, and throwing ->> them in and expecting them to understand the underlying unix ->> philosophies that are so different from the world they come from ->> is going to cause more harm than good. -> ->People expect UNIX to be secure, so this argument doesn't really ->hold, does it? -> I see that we have different approaches here. You would crack the docs before trying anything, I would try it and see if it worked already. Generally, for me, reading the docs or manpages without a concept of what I'm looking for just makes me more confused than ever. As for starting with Linux, well, I did but per numerous discussions I've seen in -questions over the last few months, the install didn't go well and once I got things installed I couldn't figure out how or what to do and eventually gave up for a couple of years. If someone doesn't know to/how/what to edit in inetd.conf, why would they know to telnet to port 20/21? And while people do expect this OS to be secure, I would venture that more people expect it to be *functional*. And if what I've said seems largely ridiculous, it is probably less of a technical issue and more of a social one: http://www.theonion.com/onion3542/aurora_tekken3.html Sadly, my world is microwaves and McDonalds and FedEx and not mom's winter chili. --gill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message