From owner-freebsd-questions Thu Feb 5 13:58:51 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA06344 for questions-outgoing; Thu, 5 Feb 1998 13:58:51 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from the.oneinsane.net (insane@link2.oneinsane.net [207.113.133.240]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA06249 for ; Thu, 5 Feb 1998 13:58:25 -0800 (PST) (envelope-from insane@oneinsane.net) Received: (from insane@localhost) Message-ID: <19980205135734.44818@the.oneinsane.net> Date: Thu, 5 Feb 1998 13:57:34 -0800 From: "Ron 'The Insane One' Rosson" To: Jamie Lawrence Cc: Doug White , freebsd-questions@FreeBSD.ORG Subject: Re: minimalist /etc/services and /etc/inetd.conf Re: Security References: <3.0.3.32.19980204134734.009944f0@colonel.42inc.com> <3.0.3.32.19980205110224.009f3820@colonel.42inc.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.74e In-Reply-To: <3.0.3.32.19980205110224.009f3820@colonel.42inc.com>; from Jamie Lawrence on Thu, Feb 05, 1998 at 11:02:24AM -0800 X-Operating-System: FreeBSD the.oneinsane.net 2.2.5-STABLE X-Opinion: What you read here is my IMHO X-Disclaimer: I am a firm believer in RTFM Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG X-To-Unsubscribe: mail to majordomo@FreeBSD.org "unsubscribe questions" -J I agree with your methods.. Only make the machine capable of what its job is.. That way it can not come back and haunt you. IMHO it sounds like you have good firewall based habits to me Ron On Thu, Feb 05, 1998 at 11:02:24AM -0800, Jamie Lawrence wrote: > > I didn't mean to spark a huge debate on this - I won't > publicly post on the topic after this. Feel free to > harangue me privately, should you feel really strongly > about my habit of editing /etc/services. > > At 09:58 PM 2/4/98 -0800, you wrote: > > >> "Don't play with /etc/services" seems like pretty general advice > >> not applicable in all (or perhaps even most) situations. > > > >OK, then why edit services? It's a text database, nothing more. > > For the same reason I remove large chunks of /bin/*, /sbin/*, > the man pages for what is gone, /etc/sendmail.cf, the kernel sources > after a recompile, etc. etc. etc. > > What isn't there can't be used against the system. True, there might > not be any direct gains in security from removing man pages and > editing services, and I admit this particular case is perhaps just > an aesthetic issue. If a system is only firewalling or only serving > web pages, I want it to be only capable of that function (modulo > any administratively necessary functions, of course), and want > everything not associated with that function gone. "All that is not > permitted is forbidden", while admittedly bad social policy, is great > security. (I'm less harsh to machines that more people access.) > > -j -- -------------------------------------------------------- Ron Rosson ... and a UNIX user said ... rlr@n2.net rm -rf * insane@oneinsane.net and all was null and void --------------------------------------------------------