From owner-freebsd-security Wed Jan 24 04:48:49 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id EAA26406 for security-outgoing; Wed, 24 Jan 1996 04:48:49 -0800 (PST) Received: from underdog.maxie.com (maxie.com [199.250.231.28]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id EAA26401 for ; Wed, 24 Jan 1996 04:48:46 -0800 (PST) Received: (from max@localhost) by underdog.maxie.com (8.6.12/8.6.12) id HAA12469; Wed, 24 Jan 1996 07:48:17 -0500 Date: Wed, 24 Jan 1996 07:48:16 -0500 (EST) From: James Robertson To: security@Freebsd.org Subject: Re: Ownership of files/tcp_wrappers port In-Reply-To: <199601241012.CAA11879@statler.csc.calpoly.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@Freebsd.org Precedence: bulk > > Before we get over paranoid over security, lets us remember that the > > primary aim of a base distribution is to provide an dynamic system, of > > course minus the security bugs. I have to strongly agree with this, Iet's NOT get paranoid over security. I feel if someone have reached the point they use the word paranoid to describe thier feeling of safety of a machine, it might perhaps be time to seriously reconsider whether the machine should be on a public network at all. Replacing that ethernet T-connector with a terminator is still a much more fool proof security measure. One of the primary reasons I switched all the machines here (a small IPP) was that the FreeBSD machines were not causing access problems like the Linux ones were. Linux appears to be "paranoid" out of the box, and there is little information available to find where all the checks are, much less disable them. Asking other systems running it didn't help, I got various answers, all along the line of "just leave it alone, it's supposed to be that way" all the way to "I don't feel that it's a good idea to give that info out". In the end, I never could get it to allow certain systems to telnet or even anonymous FTP, and some of the machines disallowed were on the same LAN. Removing the tcp wrappers didn't even fix the problems, the daemons just did the same checks themselves. In short, despite a few protests, I cahnaged all the machines to FreeBSD and ended the problems. (and a good deal of other ones unrelated to security.) I would hate to see FreeBSD become a "paranoid" distribution like that, with every possible security measure in full force by default. Its default setup is robust enough in most cases, and it is far easier to add additional security than it is to strip off layer after layer of options you never wanted to begin with. There is one place in FreeBSD I can think of that a change might be good idea, the Installation program should probably indicate that it is a very good idea to set a root password, instead of just giving a menu option to set it. A new comer to Unix might not be aware just how important that could be if it is anything other than a single user stand alone system. > Well, then FreeBSD has failed. See the recent telnetd environment bug for > an example of this. If you had wrapped telnetd and only allowed connects > from certain sites, you could have limited the scope of this vulnerability. Restricting the hosts that use telnet is not a solution for everyone, in our case 99% of our users could no longer login. Almost all of our user base comes from netside, not from local hosts.... James Robertson Treetop Internet Services