From owner-freebsd-security Sat Oct 16 22:12: 7 1999 Delivered-To: freebsd-security@freebsd.org Received: from earth.wnm.net (earth.wnm.net [208.246.240.243]) by hub.freebsd.org (Postfix) with ESMTP id AAC9114FBA for ; Sat, 16 Oct 1999 22:12:04 -0700 (PDT) (envelope-from alex@wnm.net) Received: from localhost (alex@localhost) by earth.wnm.net (8.8.8/8.8.8) with ESMTP id AAA14779; Sun, 17 Oct 1999 00:11:51 -0500 (CDT) Date: Sun, 17 Oct 1999 00:11:51 -0500 (CDT) From: Alex Charalabidis To: tom brown Cc: freebsd-security@FreeBSD.ORG Subject: Re: General securiy of vanilla install WAS [FreeSSH] In-Reply-To: <19991017043046.5909.rocketmail@web115.yahoomail.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 16 Oct 1999, tom brown wrote: > I think we've lost the direction here somewhere. > This started as a conversation about > 'security'options. > > But something should be done to allow the less > experienced users roll out a box that can sit > unprotected on the net. Personal experience has > demonstrated that many insecure installs are out there > running in production enviroments. People often seem > to have the impression that unix is secure, but they > don't understand what they need to do to make it that > way. > This ought to be addressed in future releases. I don't remember off-hand which services are enabled by default on a stock installation but I do remember always having to shut down a few on every new machine I install FreeBSD on (which means most machines that hit my desk). Somewhere in this thread, someone mentioned installing tcsh/bash and ssh as the first tasks on a new box. Wrong. The first thing we do is vi inetd.conf and shut down unneeded services. Those who don't know enough to do so are SOL. Sure, they need to learn but letting them learn by having their machines cracked is counterproductive. Granted, it is by far not as bad as it is with certain eponymous Linux distributions that come so service-happy it's scary, but there are concerns about new FreeBSD installations too. New users don't need the services (and shouldn't be running them), experienced users would rather enable what they need themselves. > If /stand/sysinstall had a checkbox in the install > that said "don't run services" that would go a long way to > stoping vanilla installs being "cracked" thereby giving > the project a bad name. Simple IP filtering would also > be a bonus. > Sounds very reasonable. Though maybe "run services" should be off by default. -ac -- Alex Charalabidis WebNet Memphis (901) 432-6000 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message