From owner-freebsd-security Fri Sep 22 11:24:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns1.sunesi.net (ns1.sunesi.net [196.15.192.194]) by hub.freebsd.org (Postfix) with ESMTP id 0BD9337B423 for ; Fri, 22 Sep 2000 11:24:24 -0700 (PDT) Received: from nbm by ns1.sunesi.net with local (Exim 3.03 #1) id 13cXTk-0008Oe-00; Fri, 22 Sep 2000 20:23:20 +0200 Date: Fri, 22 Sep 2000 20:23:19 +0200 From: Neil Blakey-Milner To: Brett Glass Cc: Dave McKay , Wes Peters , security@freebsd.org Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: wats so special about freeBSD?) Message-ID: <20000922202319.A32175@mithrandr.moria.org> References: <99016.969437392@winston.osd.bsdi.com> <99016.969437392@winston.osd.bsdi.com> <20000920125405.D22272@149.211.6.64.reflexcom.com> <4.3.2.7.2.20000921113652.053d4960@localhost> <20000921210521.A17973@mithrandr.moria.org> <39CA8E45.7DA45048@softweyr.com> <4.3.2.7.2.20000921182152.046d6ee0@localhost> <20000922021207.A90466@elvis.mu.org> <4.3.2.7.2.20000922120415.00c7bdc0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <4.3.2.7.2.20000922120415.00c7bdc0@localhost>; from brett@lariat.org on Fri, Sep 22, 2000 at 12:11:25PM -0600 Organization: Sunesi Clinical Systems X-Operating-System: FreeBSD 3.3-RELEASE i386 X-URL: http://rucus.ru.ac.za/~nbm/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri 2000-09-22 (12:11), Brett Glass wrote: > > Telnet *IS* however installed by default on every major OS I can > >think of. > > It should not be. It sends passwords in the clear. This is not > acceptable on today's Internet. Which is fine, except I don't see 'ssh' on the OSen you might be using to access your machine from remote. Windows, especially. > >> I wind up spending hours agonizing over the configuration of every > >> FreeBSD install I do, because I have to turn off many of the defaults > >> which could potentially compromise security or waste resources. > > > >This is not healthy. Editing /etc/inetd.conf and /etc/rc.conf shouldn't > >take one hours, this sounds like a personal problem. > > The fact is that it really CAN take hours to reconfigure FreeBSD to secure > it. This includes recompiling the kernel (to get IP Filter in there, save > resources, turn off BPF, etc.), editing rc.conf, editing sshd.conf, and > much more. ipfilter is available as a module, btw. And a kernel build, even on my venerable p166mmx doesn't take more than a few minutes. Can you explain exactly your thought processes as you're editing rc.conf and sshd.conf? If we know _what_ you are changing, and why, maybe we'll be enlightened. I personally can't take more than a minute editing rc.conf. I know that sshd.conf is safe enough - I may bind to a specific IP, though. What else is there? I really can't see how it can take hours. Neil -- Neil Blakey-Milner Sunesi Clinical Systems nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message