Date: Sat, 20 Nov 1999 13:30:59 -0500 From: Craig Garner <xrayu@home.com> To: Eivind Eklund <eivind@FreeBSD.ORG> Cc: Nate Williams <nate@mt.sri.com>, Matthew Dillon <dillon@apollo.backplane.com>, security@FreeBSD.ORG Subject: Re: Disabling FTP (was Re: Why not sandbox BIND?) Message-ID: <3836E8E3.E9F9E009@home.com> References: <4.2.0.58.19991111220759.044f46d0@localhost> <Pine.BSF.4.10.9911120922190.85007-100000@jade.chc-chimes.c <4.2.0.58.19991112102309.045abf00@localhost> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za> <199911121946.LAA24616@apollo.backplane.com> <199911122114.OAA20606@mt.sri.com> <19991113012855.A62879@fasterix.frmug.org> <199911130031.RAA21117@mt.sri.com> <19991120190417.I602@bitbox.follo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Eivind Eklund wrote: > > On Fri, Nov 12, 1999 at 05:31:14PM -0700, Nate Williams wrote: > > > > > Speaking of default system configurations - what do people think about > > > > > turning off the 'ftp' service in the default configuration? > > > > > > > > Personally, I don't like it. At least, not until SSH becomes a default > > > > protocol in the system, since otherwise there is no way to transfer > > > > files to/from FreeBSD boxes easily. > > > > > > You could still easily reenable ftpd if you need it. > > > > Or, you could still easily disable ftpd since you almost *always* need > > it right away. > > I've never, ever needed it. It transfers *cleartext* passwords. My > view is that it is not usable for anything but anonymous FTP. > > > > Given recent vulnerability history on many ftp daemons, I think it > > > might be safer to disable FTP by default. > > > > FreeBSD's ftpd is not succeptible. Given the argument, why don't we > > disable *ALL* network access, since all are suspect to breakins. :( (I'm > > kidding of course...) > > I am in favour of disabling all network access to boxes as they come > from install. As it is, we have a bunch of things that are most often > not necessary, and we're encouraging people (like poor misguided Nate > here ;) to run protocols that do not encrypt passwords. > > Any proposal to disable things that listen to the network in our > default setup will have my approval. > > Eivind. > If you think about it, why should someone who doesn't know how to turn something on and off have it on in the first place? I'm sure these ideas 'scare' newbie people who do not wish to read and figure out how to do this. I personally like to install a box, turn everything off, and then turn on what I need. Craig To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3836E8E3.E9F9E009>