Date: Sun, 17 Oct 1999 18:02:25 -0400 From: Justin Wells <jread@semiotek.com> To: "Jeffrey J. Mountin" <jeff-ml@mountin.net> Cc: Alex Charalabidis <alex@wnm.net>, freebsd-security@FreeBSD.ORG Subject: Re: General securiy of vanilla install WAS [FreeSSH] Message-ID: <19991017180225.A9804@semiotek.com> In-Reply-To: <3.0.3.32.19991017152906.00aa7100@207.227.119.2> References: <19991017043046.5909.rocketmail@web115.yahoomail.com> <Pine.BSI.4.05.9910162349330.14034-100000@earth.wnm.net> <3.0.3.32.19991017152906.00aa7100@207.227.119.2>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Oct 17, 1999 at 03:29:06PM -0500, Jeffrey J. Mountin wrote: > Anyone expecting to just install and drop it off the wire should get what > they deserve for their minimal effort. > To be fair, we could have a firewall distrubution, but even so it would be > a compromize and still require a certain level of knowledge to do right. A simple firewall would go a long way. By default allow everything outbound and nothing inbound. Or allow only inbound www, ssh, identd, passive ftp, and smtp--so people don't ask why they aren't allowed on IRC, can't FTP the dists, can't see their website, and don't get their mail. The firewall configuration file should be well commented, and there should be a loud message in the install explaining that it's there. > >Somewhere in this thread, someone mentioned installing tcsh/bash and ssh > >as the first tasks on a new box. Wrong. The first thing we do is vi > >inetd.conf and shut down unneeded services. Those who don't know enough to > >do so are SOL. Sure, they need to learn but letting them learn by having > >their machines cracked is counterproductive. > > Not wrong. Why connect to the network before the system is ready. ;) The first thing I do is bring up the firewall :-) The first thing I install is "screen" so that I can poke around in the background while "make world" is running in single user mode. > It's better than it used to be. Either services in inetd.conf should *all* > be commented or inetd should not be started in rc.conf, along with > sendmail. AFAICR, sendmail is on since it is so commonly used and to avoid > newbies asking about it, but then they will ask anyways and so we have > these little discussions from time to time. I love those old Slackware systems that used to install with 'ps' and 'netstat' running out of inetd. > Trouble is new users. All more experienced types know what they (don't) > want, so where things are is more of a compromize. However, most new users think that they want to have telnetd installed, and since it is installed by default, they think it must be OK. If they had to turn it on, it might occur to them that cleartext protocols and public networks don't mix. Especially if a comment in inetd.conf said so :-) Justin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991017180225.A9804>