From owner-freebsd-security Wed Jan 24 11:00:37 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id LAA12494 for security-outgoing; Wed, 24 Jan 1996 11:00:37 -0800 (PST) Received: from statler.csc.calpoly.edu (statler-srv.csc.calpoly.edu [129.65.241.4]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id LAA12429 for ; Wed, 24 Jan 1996 11:00:16 -0800 (PST) Received: (from nlawson@localhost) by statler.csc.calpoly.edu (8.6.12/N8) id KAA12350; Wed, 24 Jan 1996 10:25:59 -0800 From: Nathan Lawson Message-Id: <199601241825.KAA12350@statler.csc.calpoly.edu> Subject: Re: Ownership of files/tcp_wrappers port To: max@underdog.maxie.com (James Robertson) Date: Wed, 24 Jan 1996 10:25:59 -0800 (PST) Cc: security@freebsd.org In-Reply-To: from "James Robertson" at Jan 24, 96 07:48:16 am X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org Precedence: bulk > > > Before we get over paranoid over security, lets us remember that the > > > primary aim of a base distribution is to provide an dynamic system, of > > > course minus the security bugs. > > I have to strongly agree with this, Iet's NOT get paranoid over security. > I feel if someone have reached the point they use the word paranoid to > describe thier feeling of safety of a machine, it might perhaps be time > to seriously reconsider whether the machine should be on a public network > at all. Replacing that ethernet T-connector with a terminator is still a > much more fool proof security measure. I get a different feeling when someone starts suggesting that security measures are paranoid: I start feeling like they don't quite understand what is going on. Proper security is not paranoia. It is not obscurity. It's being able to understand your system well enough to know where holes can appear and being able to detect and control access to your machine. Security is your way of saying "Yes, I own my machine, I know how it works, therefore I am not worried about hacking attempts". People are most afraid of what they don't understand. I wasn't suggesting "paranoid" security measures, I was suggesting that we make tcp_wrappers easily available for newer users, such as yourself, so that if you wish to add access control, you can edit one file to do so. I did NOT suggest that anything be denied by default. In fact, I am against this. But it should be there when someone installs, so that they can make quick use of it (just like any other tool). > One of the primary reasons I switched all the machines here (a small IPP) > was that the FreeBSD machines were not causing access problems like the > Linux ones were. Linux appears to be "paranoid" out of the box, and there > is little information available to find where all the checks are, much > less disable them. Asking other systems running it didn't help, I got > various answers, all along the line of "just leave it alone, it's > supposed to be that way" all the way to "I don't feel that it's a good > idea to give that info out". Even the paranoid option of tcp_wrappers doesn't complain unless DNS is misconfigured or other things like that. What you say is kind of scary, because there are other, more complex issues in running a Unix box (whether Linux or FreeBSD) which are much more dangerous and you were running into just the small ones. Spend some time on your system, whether Linux or FreeBSD, ls'ing around, running arbitrary commands, and using the man pages. Get a "feel" for how your system really operates. > In the end, I never could get it to allow certain systems to telnet or > even anonymous FTP, and some of the machines disallowed were on the same > LAN. Removing the tcp wrappers didn't even fix the problems, the daemons > just did the same checks themselves. In short, despite a few protests, I > cahnaged all the machines to FreeBSD and ended the problems. (and a good > deal of other ones unrelated to security.) I prefer FreeBSD to Linux, but your fix of installing a new operating system because the old one complained too much is a bad omen. Systems do not complain unless there really is something wrong. Changing OS's won't fix what's wrong, it will just change how it's reported (or ignored). > I would hate to see FreeBSD become a "paranoid" distribution like that, > with every possible security measure in full force by default. Its Like I said before, I did not suggest this. I suggested that it be available for quick user configuration IF IT IS DESIRED. > There is one place in FreeBSD I can think of that a change might be good > idea, the Installation program should probably indicate that it is a very > good idea to set a root password, instead of just giving a menu option to > set it. A new comer to Unix might not be aware just how important that > could be if it is anything other than a single user stand alone system. > > > Well, then FreeBSD has failed. See the recent telnetd environment bug for > > an example of this. If you had wrapped telnetd and only allowed connects > > from certain sites, you could have limited the scope of this vulnerability. > > Restricting the hosts that use telnet is not a solution for everyone, in > our case 99% of our users could no longer login. Almost all of our user > base comes from netside, not from local hosts.... > James Robertson > Treetop Internet Services Perhaps it wouldn't have helped for your system, but for many others, I think it would have been a great help. -- Nate Lawson \Yeah, I was dreaming through the 'howzlife', yawning, car black, Owner: \when she told me 'mad and meaningless as ever...' and a song Cal Poly State \came on the radio like a cemetery rhyme for a million crying University \corpses in their tragedy of respectable existence. - BR