Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 21 Nov 1999 15:45:45 -0800
From:      "FreeBSD" <freebsd@gtonet.net>
To:        <freebsd-security@FreeBSD.ORG>
Subject:   RE: Disabling FTP (was Re: Why not sandbox BIND?)
Message-ID:  <NCBBILEECKNKMONCIAIOEECICDAA.freebsd@gtonet.net>
In-Reply-To: <4.1.19991121180544.04252f00@granite.sentex.ca>

next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message-----
> From: owner-freebsd-security@FreeBSD.ORG
> [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Mike Tancsa
> Sent: Sunday, November 21, 1999 3:26 PM
> To: Eivind Eklund; Nate Williams
> Cc: security@FreeBSD.ORG
> Subject: Re: Disabling FTP (was Re: Why not sandbox BIND?)
>
>
> At 06:02 PM 11/21/99 , Eivind Eklund wrote:
> >Most people do NOT need need network services running when they set up
> >a new box.  A lot of people get screwed by having extra services they
> >do not need.
> >
> >Most users sit on the console of the box they are installing while
> >doing initial setup, and most of those of them that feel they need
> >access to the box from the network install ssh as their first thing to
> >do in a shell on the box.
>
> I think a lot of time could be spent trying best effort to protect end
> users from themselves (I am not thinking about ISPs here), and users will
> eventually either through carelessness or accident install something, or
> misconfigure something that will allow their system to be remotely
> compromised.  But, even if you do disable potentially dangerous services,
> there is nothing to prevent the user from fumbling around and re-enabling
> it, there by subverting the original intent to protect them.  Perhaps
> another strategy is just documentation.  Add another section into the
> security man pages, or even put a reminder in big letters in the default
> MOTD reminding new users to understand the implications of installing
> certain services on their boxes.  Especially these days when the majority
> of systems will be on some sort of potentially hostile network.
>

I disagree, partly anyway, I think it IS important to disable any and all
potential security risks AND have the documentation tell them how to turn
them on and what the implications of that would be. Better docs? You bet,
great idea. Blurb in the MOTD? Sure, sounds great! Security has always been
one of the best things about FreeBSD, lets not screw it up by enabling
things that can compromise that. We don't have new users install BIND 8.1.2
and TELL them to patch to P5, we just compile 8.2.2-P5 on install instead.
Why would we enable the holes and just tell them to disable them?

> The security(7) man page is an excellent guide for somewhat experienced
> users.  However, for the class of user this thread seems to be talking
> about, I think its generally over their heads no ?  Would the participants
> of this thread see merit in someone undertaking (e.g. me) writing a
> security document for a more novice user ? Something a little more
> extensive that http://www.freebsd.org/security/#tat and something a little
> more novice that security(7), especially with reference to clear text
> passwords. I think if the first time user is told right from the outset to
> think about security at the sysinstall page, and then reminded via the
> default MOTD, they might stand a better chance to be security conscious so
> that when they do use services like ftp and ftpd, they understand the
> implications.

I agree, and there are many great pages out there for FreeBSD security, but
it makes more sense to teach them about security by disabling the services
and teaching them about security while teaching them how to enable them.

>
> 	---Mike
> **********************************************************************
> Mike Tancsa, Network Admin        *  mike@sentex.net
> Sentex Communications Corp,       *  http://www.sentex.net/mike
> Cambridge, Ontario                *  519 651 3400
> Canada                            *
>

FreeBSD
freebsd@gtonet.net

"LinSUX is only free if your time is worthless"



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NCBBILEECKNKMONCIAIOEECICDAA.freebsd>