Date: Tue, 23 Nov 1999 19:56:26 -0700 From: Wes Peters <wes@softweyr.com> To: Frank Tobin <ftobin@uiuc.edu> Cc: security@FreeBSD.ORG Subject: Re: Disabling FTP Message-ID: <383B53DA.1A8D7A65@softweyr.com> References: <Pine.BSF.4.21.9911231717330.32081-100000@isr4033.urh.uiuc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Frank Tobin wrote:
>
> Wes Peters, at 16:13 on Tue, 23 Nov 1999, wrote:
>
> > There may be as many as 20 little knobs to turn on and off; this is NOT
> > going to SIMPLIFY the install. At a glance, ftp, telnet, shell, login,
> > finger, ntalk, ident, and smtp are all ones to put in the Q&A, and that's
> > just glancing through /etc/inetd.conf quickly. A newbie isn't going to
> > know what to do about any of them. So, you give them a button that says
> > "I'm a newbie, let me install an OPEN system" and then point them at a
> > document that tells them what the differences between the "Newbie OPEN"
> > install and the "Expert Closed" install are, and why they differ.
>
> I aagree with Wes; we're not trying to configure the entire system during
> install; rather, it seems we would like to choose from one of two
> inetd.conf's, one that has services enabled, and one that doesn't. And
> let's please not use demeaning radio boxes like "newbie open" and "expert
> closed"; rather something along the lines of "services open (recommended
> for novices)" and "services closed (recommended for minimal security
> risk)".
Well, I didn't mean to put:
+-----------------------------------------+
| Select Installation Cluefulness |
| |
| [ ] Clueless Newbie, No Security |
| |
| [ ] UNIX God, I'll Expose Myself |
| |
| +------+ |
| | OK | |
| +------+ |
+-----------------------------------------+
in the installation, regardless of how amusing it might be. ;^)
I meant something more along the lines of the following in the "Beginner"
installation track. (Which, by the way, I always use, and I've installed
every version of FreeBSD except 2.2.8)
+------------------------------------------------------------------+
| Select Installation Mode |
| |
| A "standard" UNIX installation includes a number of network |
| services that may leave your system open to intruders. Some of |
| these services are quite useful, but have insecure features like |
| sending passwords across the network unencrypted. At this point |
| you may choose to enable the standard complement of services, or |
| you may choose to configure to use only the "ssh" protocol, |
| which provides for secure remote login and file transfers. |
| |
| The differences between the two installations are outlined in |
| /usr/share/doc/install/security.txt, and in Section X.Y of the |
| FreeBSD Handbook. You may install the system securely and then |
| enable the features you need, or install it open and disable the |
| features you do not require. |
| |
| [ ] Standard network services enabled |
| |
| [ ] Secure installation |
| |
| +------+ |
| | OK | |
| +------+ |
+------------------------------------------------------------------+
I don't think this needs to be in any of the other installation paths; for
the "experts" we should just chose one of the two above. Now we can argue
about which one that might be. ;^)
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?383B53DA.1A8D7A65>