From owner-freebsd-security Sat Nov 20 16:37:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from wit395301.student.utwente.nl (wit395301.student.utwente.nl [130.89.235.121]) by hub.freebsd.org (Postfix) with ESMTP id 6A8E114BDB; Sat, 20 Nov 1999 16:37:38 -0800 (PST) (envelope-from jeroen@vangelderen.org) Received: from [10.235.121.14] (helo=vangelderen.org) by wit395301.student.utwente.nl with esmtp (Exim 2.05 #1) id 11pL0H-0000tv-00; Sun, 21 Nov 1999 01:37:17 +0100 Message-ID: <38373E91.74688367@vangelderen.org> Date: Sun, 21 Nov 1999 01:36:33 +0100 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Nate Williams Cc: Eivind Eklund , Matthew Dillon , security@FreeBSD.ORG Subject: Re: Disabling FTP (was Re: Why not sandbox BIND?) References: <4.2.0.58.19991111220759.044f46d0@localhost> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za> <199911121946.LAA24616@apollo.backplane.com> <199911122114.OAA20606@mt.sri.com> <19991113012855.A62879@fasterix.frmug.org> <199911130031.RAA21117@mt.sri.com> <19991120190417.I602@bitbox.follo.net> <199911201808.LAA10767@mt.sri.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nate Williams wrote: > NOT! Then we'd be worse than a windoze box. Why? You can easily enable the services you need. And disabling would increases security even more over windoze ;-p On top of that you don't have to reboot for those newly enabled services to work ;-p You could argue that disabling services is as easy, but then you're forgetting that having them enabled by default introduces a window of opportunity. And of course it's easy to forget to turn off a service you don't need. By disabling services you prevent these problems. Assuming that most every user on most every box tweaks it's configuration anyway, disabling services doesn't introduce a lot more work. In the end it's all allow-all-except vs. deny-all-except and IMO the latter is a winner. > I think most of you 'ISP' types are forgetting that *MOST* of the > FreeBSD boxes out there are installed by users, not big businesses. As a *user* managing only 19 FreeBSD boxen I'd appreciate the change. > Making the box unusable for most people, but 'secure' for a very > small portio of people is not a winning strategy. This is *way* exaggerated. If you can't enable the services you need the box is unusable to you anyway. We're not Linux. Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org Interesting read: http://www.vcnet.com/bms/ JLF To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message