[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security

On Mon, 26 Apr 1999, Sharp, Lee wrote:

> is an easy read...  Anyway, it got me thinking about inet.d...  It ships
> default in a very insecure way.  I can't see a new user knowing what to
> shut off, and we don't want to leave them looking like a passed out prom
> queen in a frat house.  :-)  How hard would it be to have services

it shouldn't be that hard to change the defaults. 

Another way to do things would be to ship a hosts.deny file like this:


this is actually a pretty good default. Or at least


then put 


in hosts.allow

It's worth considering putting some examples in the hosts.deny and
hosts.allow files as well. 

IMO anyone considering running telnetd, fingerd  and
ftpd on a machine with a static IP *needs* to think carefully about which
services should be accessed by which IP addresses / domains ( I didn't
think so carefully. I was cracked by a site that I should have never
given telnet access to in the first place. Believe me, I thought carefully
after that ... ) 

Of course, home users usually do not need to run fingerd, ftpd or telnetd.

While we're at it, I have a gripe about /etc/issue.net: 
is it *really* necessary for linux boxes to broadcast their distribution
name and kernel version to the world ? It might be a good idea to remove
the kernel version from /etc/issue , and just make /etc/issue.net say
"welcome to HOSTNAME". I think /etc/issue[.net] is automatically
overwritten by a file in /etc/rc.d ( maybe rc.local or init.d/network ) 

-- Donovan