Date: Mon, 22 Nov 1999 11:15:52 +0100 From: "Jeroen C. van Gelderen" <jeroen@vangelderen.org> To: Mike Tancsa <mike@sentex.net> Cc: Eivind Eklund <eivind@FreeBSD.ORG>, Nate Williams <nate@mt.sri.com>, security@FreeBSD.ORG Subject: Re: Disabling FTP (was Re: Why not sandbox BIND?) Message-ID: <383917D8.32C2AAE4@vangelderen.org> References: <199911201808.LAA10767@mt.sri.com> <Pine.BSF.4.10.9911120922190.85007-100000@jade.chc-chimes.c <4.2.0.58.19991112102309.045abf00@localhost> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za> <199911121946.LAA24616@apollo.backplane.com> <199911122114.OAA20606@mt.sri.com> <19991113012855.A62879@fasterix.frmug.org> <199911130031.RAA21117@mt.sri.com> <19991120190417.I602@bitbox.follo.net> <199911201808.LAA10767@mt.sri.com> <4.1.19991121180544.04252f00@granite.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Tancsa wrote: > I think a lot of time could be spent trying best effort to protect end > users from themselves (I am not thinking about ISPs here), and users will > eventually either through carelessness or accident install something, or > misconfigure something that will allow their system to be remotely > compromised. But, even if you do disable potentially dangerous services, > there is nothing to prevent the user from fumbling around and re-enabling > it, there by subverting the original intent to protect them. This is not just about stupid end-users. Even experienced users can get bitten by this. The enabled services introduce a window of opportunity and can be easily forgotten. This is exactly the reason why your average firewall defaults to deny-all-except instead of allow-all-except... > Perhaps > another strategy is just documentation. Add another section into the > security man pages, or even put a reminder in big letters in the default > MOTD reminding new users to understand the implications of installing > certain services on their boxes. Especially these days when the majority > of systems will be on some sort of potentially hostile network. > > The security(7) man page is an excellent guide for somewhat experienced > users. However, for the class of user this thread seems to be talking > about, I think its generally over their heads no ? Would the participants > of this thread see merit in someone undertaking (e.g. me) writing a > security document for a more novice user ? Go for it! > Something a little more > extensive that http://www.freebsd.org/security/#tat and something a little > more novice that security(7), especially with reference to clear text > passwords. I think if the first time user is told right from the outset to > think about security at the sysinstall page, and then reminded via the > default MOTD, they might stand a better chance to be security conscious so > that when they do use services like ftp and ftpd, they understand the > implications. Hmm, so what are you going to tell the newbee? Turn off any services you don't need and turn on any services you do need? Now consider a box with the various services disabled by default. The advice gets simpler, doesn't it? Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org Interesting read: http://www.vcnet.com/bms/ JLF To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?383917D8.32C2AAE4>