From owner-freebsd-security  Sun Oct 17 12:52:18 1999
Delivered-To: freebsd-security@freebsd.org
Received: from pogo.caustic.org (pogo.caustic.org [216.69.69.123])
	by hub.freebsd.org (Postfix) with ESMTP id 5F58A14A2D
	for <freebsd-security@FreeBSD.ORG>; Sun, 17 Oct 1999 12:52:14 -0700 (PDT)
	(envelope-from jan@caustic.org)
Received: from localhost (jan@localhost)
	by pogo.caustic.org (8.9.3/ignatz) with ESMTP id MAA05800;
	Sun, 17 Oct 1999 12:51:19 -0700 (PDT)
Date: Sun, 17 Oct 1999 12:51:19 -0700 (PDT)
From: "f.johan.beisser" <jan@caustic.org>
To: Alex Charalabidis <alex@wnm.net>
Cc: tom brown <tmcb1971@yahoo.com>, freebsd-security@FreeBSD.ORG
Subject: Re: General securiy of vanilla install WAS [FreeSSH]
In-Reply-To: <Pine.BSI.4.05.9910162349330.14034-100000@earth.wnm.net>
Message-ID: <Pine.BSF.4.05.9910171231220.93538-100000@pogo.caustic.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


-- on inetd --

actually, i think that most experienced freebsd folks would just vi
/etc/rc.conf and add the line 'inetd_enable="NO"'.

yes, there should be a simple option to have this enabled or disabled from
/stand/sysinstall.

perhaps a simple check menu for each of the services in a row.. and at the
top something for the inetd?

-- vanilla install security --

in general, disabling everything in a vanilla install might be counter
productive for the average user, since most folks who install freebsd
don't use it as a workstation. they tend to use it as a server (this is my
own bias, since 80% of the FreeBSD boxen that i build are servers anyway),
and need most of the services from the inetd.

the first installs i do are: ssh (we have a happy tarball already made,
and has all the configurations there), shells we might need, edit down the
inetd.conf (or dissable it). it doesn't take me much more than 30 minutes
per machine for specific installs, or about 15 minutes for a general
install.

on workstation installs, i dissable the inetd completely, then do the
standard installs from there. X and such adds to the time it takes to get
the install done.

of course, this is just my stupid $0.02 worth on this.

on another note, has anyone considered replacing sendmail in the base
dist of FBSD?

see ya all at the con,
-- jan





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message