From owner-freebsd-security  Fri Nov 12 16:31:55 1999
Delivered-To: freebsd-security@freebsd.org
Received: from ns.mt.sri.com (ns.mt.sri.com [206.127.79.91])
	by hub.freebsd.org (Postfix) with ESMTP id 73B1C150E5
	for <security@FreeBSD.ORG>; Fri, 12 Nov 1999 16:31:48 -0800 (PST)
	(envelope-from nate@mt.sri.com)
Received: from mt.sri.com (rocky.mt.sri.com [206.127.76.100])
	by ns.mt.sri.com (8.9.3/8.9.3) with SMTP id RAA20045;
	Fri, 12 Nov 1999 17:31:15 -0700 (MST)
	(envelope-from nate@rocky.mt.sri.com)
Received: by mt.sri.com (SMI-8.6/SMI-SVR4)
	id RAA21117; Fri, 12 Nov 1999 17:31:14 -0700
Date: Fri, 12 Nov 1999 17:31:14 -0700
Message-Id: <199911130031.RAA21117@mt.sri.com>
From: Nate Williams <nate@mt.sri.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: Pierre Beyssac <pb@fasterix.freenix.org>
Cc: Nate Williams <nate@mt.sri.com>,
	Matthew Dillon <dillon@apollo.backplane.com>,
	Barry Irwin <bvi@rucus.ru.ac.za>,
	Josef Karthauser <joe@pavilion.net>, Brett Glass <brett@lariat.org>,
	Bill Fumerola <billf@chc-chimes.com>,
	Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>,
	security@FreeBSD.ORG
Subject: Re: Why not sandbox BIND?
In-Reply-To: <19991113012855.A62879@fasterix.frmug.org>
References: <4.2.0.58.19991111220759.044f46d0@localhost>
	<Pine.BSF.4.10.9911120922190.85007-100000@jade.chc-chimes.c <4.2.0.58.19991112102309.045abf00@localhost>
	<19991112173306.D76708@florence.pavilion.net>
	<19991112212912.Z57266@rucus.ru.ac.za>
	<199911121946.LAA24616@apollo.backplane.com>
	<199911122114.OAA20606@mt.sri.com>
	<19991113012855.A62879@fasterix.frmug.org>
X-Mailer: VM 6.34 under 19.16 "Lille" XEmacs Lucid
Reply-To: nate@mt.sri.com (Nate Williams)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> > >     Speaking of default system configurations - what do people think about
> > >     turning off the 'ftp' service in the default configuration?
> > 
> > Personally, I don't like it.  At least, not until SSH becomes a default
> > protocol in the system, since otherwise there is no way to transfer
> > files to/from FreeBSD boxes easily.
> 
> You could still easily reenable ftpd if you need it.

Or, you could still easily disable ftpd since you almost *always* need
it right away.

> Given recent vulnerability history on many ftp daemons, I think it
> might be safer to disable FTP by default.

FreeBSD's ftpd is not succeptible.  Given the argument, why don't we
disable *ALL* network access, since all are suspect to breakins. :( (I'm
kidding of course...)



Nate


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message