From owner-freebsd-security  Wed Nov 24 16:53:10 1999
Delivered-To: freebsd-security@freebsd.org
Received: from ind.alcatel.com (postal.xylan.com [208.8.0.248])
	by hub.freebsd.org (Postfix) with ESMTP
	id DD971152A6; Wed, 24 Nov 1999 16:52:57 -0800 (PST)
	(envelope-from wes@softweyr.com)
Received: from mailhub.xylan.com (mailhub [198.206.181.70])
	by ind.alcatel.com (8.9.3+Sun/8.9.1 (ind.alcatel.com 3.0 [OUT])) with SMTP id QAA12722;
	Wed, 24 Nov 1999 16:51:51 -0800 (PST)
X-Origination-Site: <ind.alcatel.com>
Received: from omni.xylan.com by mailhub.xylan.com (SMI-8.6/SMI-SVR4 (mailhub 2.1 [HUB]))
	id QAA00469; Wed, 24 Nov 1999 16:51:51 -0800
Received: from softweyr.com (dyn0.utah.xylan.com) by omni.xylan.com (4.1/SMI-4.1 (xylan engr [SPOOL]))
	id AA16766; Wed, 24 Nov 99 16:51:47 PST
Message-Id: <383C8823.8438567B@softweyr.com>
Date: Wed, 24 Nov 1999 17:51:47 -0700
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.1-RELEASE i386)
X-Accept-Language: en
Mime-Version: 1.0
To: Warner Losh <imp@village.org>
Cc: Peter Wemm <peter@netplex.com.au>,
	Poul-Henning Kamp <phk@critter.freebsd.dk>,
	freebsd-current@FreeBSD.ORG, security@FreeBSD.ORG
Subject: Re: ps on 4.0-current
References: <19991124090523.9689C1C6D@overcee.netplex.com.au> <199911241612.JAA20799@harmony.village.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Warner Losh wrote:
> 
> In message <19991124090523.9689C1C6D@overcee.netplex.com.au> Peter Wemm writes:
> : 
> : In a dedicated server role, again it might be appropriate to default
> : it to "open" (dedicated server being something like a squid box),
> : again there will be a couple of sysadmin type users or people who
> : have to monitor things.  Hiding information gains nothing there
> : either.
> 
> I disagree with this, but that is because I've rarely seen a totally
> dedicated server.  A simple fileserver that does nothing else would
> want to be open in this respect since few people have accounts.
> 
> : In other roles, including something like a shell server box with presumably
> : hostile users (you reasonably have to assume this), you want everything you
> : possibly can to be locked down.
> 
> Firewall, dialup boxes, dns servers, etc are good candidates to be
> locked down.

Firewall, web, dns, news, etc. servers are good candidates to be open because 
there should not be any "normal" user accounts on them, only administration 
accounts.  And darned few of those.  I think this is what Peter was getting
at.

-- 
            "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                         Softweyr LLC
wes@softweyr.com                                           http://softweyr.com/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message