From owner-freebsd-security Mon Nov 22 2:16:46 1999 Delivered-To: freebsd-security@freebsd.org Received: from wit395301.student.utwente.nl (wit395301.student.utwente.nl [130.89.235.121]) by hub.freebsd.org (Postfix) with ESMTP id 1DB31158F9; Mon, 22 Nov 1999 02:16:41 -0800 (PST) (envelope-from jeroen@vangelderen.org) Received: from [10.235.121.14] (helo=vangelderen.org) by wit395301.student.utwente.nl with esmtp (Exim 2.05 #1) id 11pqWM-0003NJ-00; Mon, 22 Nov 1999 11:16:30 +0100 Message-ID: <383917D8.32C2AAE4@vangelderen.org> Date: Mon, 22 Nov 1999 11:15:52 +0100 From: "Jeroen C. van Gelderen" X-Mailer: Mozilla 4.61 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Mike Tancsa Cc: Eivind Eklund , Nate Williams , security@FreeBSD.ORG Subject: Re: Disabling FTP (was Re: Why not sandbox BIND?) References: <199911201808.LAA10767@mt.sri.com> <19991112173306.D76708@florence.pavilion.net> <19991112212912.Z57266@rucus.ru.ac.za> <199911121946.LAA24616@apollo.backplane.com> <199911122114.OAA20606@mt.sri.com> <19991113012855.A62879@fasterix.frmug.org> <199911130031.RAA21117@mt.sri.com> <19991120190417.I602@bitbox.follo.net> <199911201808.LAA10767@mt.sri.com> <4.1.19991121180544.04252f00@granite.sentex.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mike Tancsa wrote: > I think a lot of time could be spent trying best effort to protect end > users from themselves (I am not thinking about ISPs here), and users will > eventually either through carelessness or accident install something, or > misconfigure something that will allow their system to be remotely > compromised. But, even if you do disable potentially dangerous services, > there is nothing to prevent the user from fumbling around and re-enabling > it, there by subverting the original intent to protect them. This is not just about stupid end-users. Even experienced users can get bitten by this. The enabled services introduce a window of opportunity and can be easily forgotten. This is exactly the reason why your average firewall defaults to deny-all-except instead of allow-all-except... > Perhaps > another strategy is just documentation. Add another section into the > security man pages, or even put a reminder in big letters in the default > MOTD reminding new users to understand the implications of installing > certain services on their boxes. Especially these days when the majority > of systems will be on some sort of potentially hostile network. > > The security(7) man page is an excellent guide for somewhat experienced > users. However, for the class of user this thread seems to be talking > about, I think its generally over their heads no ? Would the participants > of this thread see merit in someone undertaking (e.g. me) writing a > security document for a more novice user ? Go for it! > Something a little more > extensive that http://www.freebsd.org/security/#tat and something a little > more novice that security(7), especially with reference to clear text > passwords. I think if the first time user is told right from the outset to > think about security at the sysinstall page, and then reminded via the > default MOTD, they might stand a better chance to be security conscious so > that when they do use services like ftp and ftpd, they understand the > implications. Hmm, so what are you going to tell the newbee? Turn off any services you don't need and turn on any services you do need? Now consider a box with the various services disabled by default. The advice gets simpler, doesn't it? Cheers, Jeroen -- Jeroen C. van Gelderen - jeroen@vangelderen.org Interesting read: http://www.vcnet.com/bms/ JLF To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message