Re: Security

[Donovan Rebbechi <elflord@pegasus.rutgers.edu>]

On Mon, 26 Apr 1999, Sharp, Lee wrote:

> is an easy read...  Anyway, it got me thinking about inet.d...  It ships
> default in a very insecure way.  I can't see a new user knowing what to
> shut off, and we don't want to leave them looking like a passed out prom
> queen in a frat house.  :-)  How hard would it be to have services

it shouldn't be that hard to change the defaults. 

Another way to do things would be to ship a hosts.deny file like this:

ALL:ALL

this is actually a pretty good default. Or at least

in.telnetd:ALL
in.ftpd:ALL
in.fingerd:ALL 

then put 

ALL:127.0.0.1

in hosts.allow

It's worth considering putting some examples in the hosts.deny and
hosts.allow files as well. 

IMO anyone considering running telnetd, fingerd  and
ftpd on a machine with a static IP *needs* to think carefully about which
services should be accessed by which IP addresses / domains ( I didn't
think so carefully. I was cracked by a site that I should have never
given telnet access to in the first place. Believe me, I thought carefully
after that ... ) 

Of course, home users usually do not need to run fingerd, ftpd or telnetd.

While we're at it, I have a gripe about /etc/issue.net: 
is it *really* necessary for linux boxes to broadcast their distribution
name and kernel version to the world ? It might be a good idea to remove
the kernel version from /etc/issue , and just make /etc/issue.net say
"welcome to HOSTNAME". I think /etc/issue[.net] is automatically
overwritten by a file in /etc/rc.d ( maybe rc.local or init.d/network ) 

-- Donovan