Date: Sun, 21 Nov 1999 17:17:54 -0800 From: "FreeBSD" <freebsd@gtonet.net> To: <freebsd-security@freebsd.org> Subject: RE: Disabling FTP (was Re: Why not sandbox BIND?) Message-ID: <NCBBILEECKNKMONCIAIOKECJCDAA.freebsd@gtonet.net> In-Reply-To: <Pine.BSF.4.21.9911211832330.19746-100000@isr4033.urh.uiuc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
I think you misunderstood my intention, I'm not saying named is a hole, it's a service that sometimes is a security risk just as ftpd, telnetd and fingerd (add your favorites here) could be. NOT everyone needs/uses/wants ftpd, sendmail or telnetd, in fact, People are discouraged from using telnet in favor of the more secure ssh/openssh alternative. Very few people need to run an ftpd, and most users don't run their own mail servers, they use their ISP's. Maybe the warezpups, who are still stuck on LinSUX believe that (potentially) insecure services should be started by default so they don't have to bother reading about how to enable them so they can continue their continuous down/uploads, but I prefer to enable the things I need rather than disable the things I don't. Anyone who cant enable a service they need should read the man page, a relevant web page, check a help channel on irc or a newsgroup. It just makes no sense to enable a bunch of stuff most people don't need that could come back to bite them later, rather than have them disabled from the setup and enabled as needed. At least give them an option during the install to configure for a "more-secure install" (disabled) or "less-secure install" (enabled) I'm sure I know which most would chose. Just my 2 cents, FreeBSD freebsd@gtonet.net "LinSUX is only free if your time is worthless" > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Frank Tobin > Sent: Sunday, November 21, 1999 4:43 PM > To: FreeBSD-security Mailing List > Subject: RE: Disabling FTP (was Re: Why not sandbox BIND?) > > > FreeBSD, at 15:45 on Sun, 21 Nov 1999, wrote: > > > I disagree, partly anyway, I think it IS important to disable > any and all > > potential security risks AND have the documentation tell them > how to turn > > them on and what the implications of that would be. Better > docs? You bet, > > great idea. Blurb in the MOTD? Sure, sounds great! Security has > always been > > one of the best things about FreeBSD, lets not screw it up by enabling > > things that can compromise that. We don't have new users > install BIND 8.1.2 > > and TELL them to patch to P5, we just compile 8.2.2-P5 on > install instead. > > Why would we enable the holes and just tell them to disable them? > > The bind example is not a good one, as there is not a difference in > functionality; the primary point that I think that the person you were > replying to was that new users need functionality instead a > non-functionality in their new box. They expecting certain things to be > there when they install a box, such as telnetd, ftpd, and sendmail. These > daemon's are not holes, as you state; they are access points. > > I feel the best solution overall is to make this an option upon > install. Something in the likes of "enable standard internet services?", > with a blurb _there_ about the implications of choosing/not choosing the > option. > > -- > Frank Tobin http://www.neverending.org/~ftobin/ > > "To learn what is good and what is to be valued, > those truths which cannot be shaken or changed." Myst: The Book of Atrus > > OpenPGP: 4F86 3BBB A816 6F0A 340F 6003 56FF D10A 260C 4FA3 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NCBBILEECKNKMONCIAIOKECJCDAA.freebsd>