From owner-freebsd-security  Sat Nov 20 16:37:47 1999
Delivered-To: freebsd-security@freebsd.org
Received: from wit395301.student.utwente.nl (wit395301.student.utwente.nl [130.89.235.121])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6A8E114BDB; Sat, 20 Nov 1999 16:37:38 -0800 (PST)
	(envelope-from jeroen@vangelderen.org)
Received: from [10.235.121.14] (helo=vangelderen.org)
	by wit395301.student.utwente.nl with esmtp (Exim 2.05 #1)
	id 11pL0H-0000tv-00; Sun, 21 Nov 1999 01:37:17 +0100
Message-ID: <38373E91.74688367@vangelderen.org>
Date: Sun, 21 Nov 1999 01:36:33 +0100
From: "Jeroen C. van Gelderen" <jeroen@vangelderen.org>
X-Mailer: Mozilla 4.61 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Nate Williams <nate@mt.sri.com>
Cc: Eivind Eklund <eivind@FreeBSD.ORG>,
	Matthew Dillon <dillon@apollo.backplane.com>, security@FreeBSD.ORG
Subject: Re: Disabling FTP (was Re: Why not sandbox BIND?)
References: <4.2.0.58.19991111220759.044f46d0@localhost>
		<Pine.BSF.4.10.9911120922190.85007-100000@jade.chc-chimes.c <4.2.0.58.19991112102309.045abf00@localhost>
		<19991112173306.D76708@florence.pavilion.net>
		<19991112212912.Z57266@rucus.ru.ac.za>
		<199911121946.LAA24616@apollo.backplane.com>
		<199911122114.OAA20606@mt.sri.com>
		<19991113012855.A62879@fasterix.frmug.org>
		<199911130031.RAA21117@mt.sri.com>
		<19991120190417.I602@bitbox.follo.net> <199911201808.LAA10767@mt.sri.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Nate Williams wrote:
> NOT!  Then we'd be worse than a windoze box.

Why? You can easily enable the services you need. And disabling would
increases security even more over windoze ;-p On top of that you don't 
have to reboot for those newly enabled services to work ;-p

You could argue that disabling services is as easy, but then you're
forgetting that having them enabled by default introduces a window
of opportunity. And of course it's easy to forget to turn off a
service you don't need. By disabling services you prevent these
problems.

Assuming that most every user on most every box tweaks it's 
configuration anyway, disabling services doesn't introduce a
lot more work.

In the end it's all allow-all-except vs. deny-all-except and IMO
the latter is a winner.

> I think most of you 'ISP' types are forgetting that *MOST* of the
> FreeBSD boxes out there are installed by users, not big businesses.

As a *user* managing only 19 FreeBSD boxen I'd appreciate the change.

> Making the box unusable for most people, but 'secure' for a very 
> small portio of people is not a winning strategy.

This is *way* exaggerated. If you can't enable the services you 
need the box is unusable to you anyway. We're not Linux.

Cheers,
Jeroen
-- 
Jeroen C. van Gelderen - jeroen@vangelderen.org
Interesting read: http://www.vcnet.com/bms/ JLF


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message