Date: Sun, 21 Nov 1999 01:36:33 +0100 From: "Jeroen C. van Gelderen" <jeroen@vangelderen.org> To: Nate Williams <nate@mt.sri.com> Cc: Eivind Eklund <eivind@FreeBSD.ORG>, Matthew Dillon <dillon@apollo.backplane.com>, security@FreeBSD.ORG Subject: Re: Disabling FTP (was Re: Why not sandbox BIND?) Message-ID: <38373E91.74688367@vangelderen.org> References: <4.2.0.58.19991111220759.044f46d0@localhost> <Pine.BSF.4.10.9911120922190.85007-100000@jade.chc-chimes.c <4.2.0.58.19991112102309.045abf00@localhost> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za> <199911121946.LAA24616@apollo.backplane.com> <199911122114.OAA20606@mt.sri.com> <19991113012855.A62879@fasterix.frmug.org> <199911130031.RAA21117@mt.sri.com> <19991120190417.I602@bitbox.follo.net> <199911201808.LAA10767@mt.sri.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Nate Williams wrote: > NOT! Then we'd be worse than a windoze box. Why? You can easily enable the services you need. And disabling would increases security even more over windoze ;-p On top of that you don't have to reboot for those newly enabled services to work ;-p You could argue that disabling services is as easy, but then you're forgetting that having them enabled by default introduces a window of opportunity. And of course it's easy to forget to turn off a service you don't need. By disabling services you prevent these problems. Assuming that most every user on most every box tweaks it's configuration anyway, disabling services doesn't introduce a lot more work. In the end it's all allow-all-except vs. deny-all-except and IMO the latter is a winner. > I think most of you 'ISP' types are forgetting that *MOST* of the > FreeBSD boxes out there are installed by users, not big businesses. As a *user* managing only 19 FreeBSD boxen I'd appreciate the change. > Making the box unusable for most people, but 'secure' for a very > small portio of people is not a winning strategy. This is *way* exaggerated. If you can't enable the services you need the box is unusable to you anyway. We're not Linux. Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org Interesting read: http://www.vcnet.com/bms/ JLF To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38373E91.74688367>