From owner-freebsd-bugs Fri Dec 5 05:20:05 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id FAA24491 for bugs-outgoing; Fri, 5 Dec 1997 05:20:05 -0800 (PST) (envelope-from owner-freebsd-bugs) Received: (from gnats@localhost) by hub.freebsd.org (8.8.7/8.8.7) id FAA24483; Fri, 5 Dec 1997 05:20:02 -0800 (PST) (envelope-from gnats) Resent-Date: Fri, 5 Dec 1997 05:20:02 -0800 (PST) Resent-Message-Id: <199712051320.FAA24483@hub.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@FreeBSD.ORG, volf@oasis.IAEhv.nl Received: from news.IAEhv.nl (root@news.IAEhv.nl [194.151.64.4]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id FAA24276 for ; Fri, 5 Dec 1997 05:16:21 -0800 (PST) (envelope-from volf@oasis.IAEhv.nl) Received: from oasis.IAEhv.nl (uucp@localhost) by news.IAEhv.nl (8.6.13/1.63) with IAEhv.nl; pid 19976 on Fri, 5 Dec 1997 13:16:19 GMT; id NAA19976 efrom: volf@oasis.IAEhv.nl; eto: freebsd.org!freebsd-gnats-submit Received: from LOCAL (volf@localhost) by oasis.IAEhv.nl (8.8.7/1.63); pid 17921 on Fri, 5 Dec 1997 12:37:54 GMT; id MAA17921 efrom: volf; eto: UNKNOWN Message-Id: <199712051237.MAA17921@oasis.IAEhv.nl> Date: Fri, 5 Dec 1997 12:37:54 GMT From: volf@oasis.IAEhv.nl (Frank Volf) Reply-To: volf@oasis.IAEhv.nl To: FreeBSD-gnats-submit@FreeBSD.ORG Cc: volf@oasis.IAEhv.nl X-Send-Pr-Version: 3.2 Subject: misc/5234: tcpwrappers/identd should belong to the base system Sender: owner-freebsd-bugs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >Number: 5234 >Category: misc >Synopsis: tcpwrappers/identd should belong to the base system >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Class: change-request >Submitter-Id: current-users >Arrival-Date: Fri Dec 5 05:20:01 PST 1997 >Last-Modified: >Originator: Frank Volf >Organization: Frank Volf's private UUCP site, Eindhoven, the Netherlands >Release: FreeBSD 2.2.5-STABLE i386 >Environment: >Description: FreeBSD is presented as an ideal Internet or Intranet server (which is of course unquestionable). It takes almost no work to configure a fully functional and reliable Internet server using a FreeBSD cdrom. Unfortunately, in my opinion, the *base* system does not come with all security bits enabled that should be enabled on a secure internet server. In particular, I believe that the base FreeBSD system, should have the tcpwrappers and the identd programs installed. These program can of course be installed as packages or ports, but installing them (especially tcpwrappers) requires specific knowledge and configuration, that should be done by a system administrator after the system has been configured. I think the security of FreeBSD (and the security awareness of FreeBSD owners) can be increased by moving these programs from packages to the base FreeBSD system and enabling them by default in /etc/inetd.conf. With enabling the tcpwrappers I don't mean to prohibit connections to the system, a "permit all" in /etc/host.allow is perfectly accepatable as a default. But by having a /etc/hosts.{allow,deny} in the base system and tcpwrappers enabled by default, we make it a lot easier for people to make their system secure. Also, the tcpwrappers allow us to log more information about who is using what service. The identd is a too valuable program for tracking down problems, not to have in the base system. Thankx, Frank >How-To-Repeat: >Fix: >Audit-Trail: >Unformatted: