Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 5 Dec 1997 12:37:54 GMT
From:      volf@oasis.IAEhv.nl (Frank Volf)
To:        FreeBSD-gnats-submit@FreeBSD.ORG
Cc:        volf@oasis.IAEhv.nl
Subject:   misc/5234: tcpwrappers/identd should belong to the base system
Message-ID:  <199712051237.MAA17921@oasis.IAEhv.nl>
Resent-Message-ID: <199712051320.FAA24483@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         5234
>Category:       misc
>Synopsis:       tcpwrappers/identd should belong to the base system
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Dec  5 05:20:01 PST 1997
>Last-Modified:
>Originator:     Frank Volf
>Organization:
Frank Volf's private UUCP site, Eindhoven, the Netherlands
>Release:        FreeBSD 2.2.5-STABLE i386
>Environment:
>Description:

FreeBSD is presented as an ideal Internet or Intranet server (which is of
course unquestionable). It takes almost no work to configure a fully
functional and reliable Internet server using a FreeBSD cdrom.
Unfortunately, in my opinion, the *base* system does not come with all
security bits enabled that should be enabled on a secure internet server.

In particular, I believe that the base FreeBSD system, should have the
tcpwrappers and the identd programs installed. These program can of course
be installed as packages or ports, but installing them (especially
tcpwrappers) requires specific knowledge and configuration, that should be
done by a system administrator after the system has been configured.

I think the security of FreeBSD (and the security awareness of FreeBSD
owners) can be increased by moving these programs from packages to the base
FreeBSD system and enabling them by default in /etc/inetd.conf.  With
enabling the tcpwrappers I don't mean to prohibit connections to the system,
a "permit all" in /etc/host.allow is perfectly accepatable as a default. But
by having a /etc/hosts.{allow,deny} in the base system and tcpwrappers
enabled by default, we make it a lot easier for people to make their system
secure. Also, the tcpwrappers allow us to log more information about who
is using what service.

The identd is a too valuable program for tracking down problems, not to
have in the base system.

Thankx,

            Frank
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199712051237.MAA17921>