Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 21 Nov 1999 18:25:38 -0500
From:      Mike Tancsa <mike@sentex.net>
To:        Eivind Eklund <eivind@FreeBSD.ORG>, Nate Williams <nate@mt.sri.com>
Cc:        security@FreeBSD.ORG
Subject:   Re: Disabling FTP (was Re: Why not sandbox BIND?)
Message-ID:  <4.1.19991121180544.04252f00@granite.sentex.ca>
In-Reply-To: <19991122000209.J602@bitbox.follo.net>
References:  <199911201808.LAA10767@mt.sri.com> <Pine.BSF.4.10.9911120922190.85007-100000@jade.chc-chimes.c <4.2.0.58.19991112102309.045abf00@localhost> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za> <199911121946.LAA24616@apollo.backplane.com> <199911122114.OAA20606@mt.sri.com> <19991113012855.A62879@fasterix.frmug.org> <199911130031.RAA21117@mt.sri.com> <19991120190417.I602@bitbox.follo.net> <199911201808.LAA10767@mt.sri.com>

next in thread | previous in thread | raw e-mail | index | archive | help
At 06:02 PM 11/21/99 , Eivind Eklund wrote:
>Most people do NOT need need network services running when they set up
>a new box.  A lot of people get screwed by having extra services they
>do not need.
>
>Most users sit on the console of the box they are installing while
>doing initial setup, and most of those of them that feel they need
>access to the box from the network install ssh as their first thing to
>do in a shell on the box.

I think a lot of time could be spent trying best effort to protect end
users from themselves (I am not thinking about ISPs here), and users will
eventually either through carelessness or accident install something, or
misconfigure something that will allow their system to be remotely
compromised.  But, even if you do disable potentially dangerous services,
there is nothing to prevent the user from fumbling around and re-enabling
it, there by subverting the original intent to protect them.  Perhaps
another strategy is just documentation.  Add another section into the
security man pages, or even put a reminder in big letters in the default
MOTD reminding new users to understand the implications of installing
certain services on their boxes.  Especially these days when the majority
of systems will be on some sort of potentially hostile network.

The security(7) man page is an excellent guide for somewhat experienced
users.  However, for the class of user this thread seems to be talking
about, I think its generally over their heads no ?  Would the participants
of this thread see merit in someone undertaking (e.g. me) writing a
security document for a more novice user ? Something a little more
extensive that http://www.freebsd.org/security/#tat and something a little
more novice that security(7), especially with reference to clear text
passwords. I think if the first time user is told right from the outset to
think about security at the sysinstall page, and then reminded via the
default MOTD, they might stand a better chance to be security conscious so
that when they do use services like ftp and ftpd, they understand the
implications.

	---Mike
**********************************************************************
Mike Tancsa, Network Admin        *  mike@sentex.net
Sentex Communications Corp,       *  http://www.sentex.net/mike
Cambridge, Ontario                *  519 651 3400
Canada                            *


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19991121180544.04252f00>