[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security matters

To: independence-l@independence.seul.org
Subject: Re: Security matters
From: Donovan Rebbechi <elflord@pegasus.rutgers.edu>
Date: Mon, 9 Aug 1999 15:12:19 -0400 (EDT)
In-Reply-To: <3.0.6.32.19990809120102.009fe700@mail.pcmagic.net>
Reply-To: independence-l@independence.seul.org
Sender: owner-independence-l@independence.seul.org

On Mon, 9 Aug 1999 louis@pcmagic.net wrote:

> I keep hearing about "script kiddies" and more and more Linux cracking
> going on.  Would it be a good idea to close up some of the worst
> vulnerabilites?  For us beginners, it's hard to figure out how to turn off
> all those unneeded services.  Here in the US, it's common to stay online
> for hours at a time, and I'm getting concerned about it.
> 
> I know Bastille Linux is also based on Red Hat, and there are various
> scripts floating around ....  I think after ease-of-use, security could be
> a secondary objective.  [Yes, I know that security is antithical to
> ease-of-use.]

I agree, in fact I ranted about this some time back. I suggest that:

*	rlogin, rsh, inf act "r-anything" be turned off by default. These
services are horendously insecure.

*	possibly put ALL:ALL in /etc/hosts.deny. I believe that you should
know what you are doing to turn this stuff *ON* , not to turn it off.

Maybe make some exceptions for telnet and restrict it to local access
( everyone seems to use it. The US crypto laws have really helped slow the
general move to secure software. )

*	disallow remote fingers by default. Or at least block "finger
@host"

in.fingerd ALL EXCEPT local
or even
ALL EXCEPT 127.0.0.1

*	modify /etc/issue and /etc/issue.net so that they *DON'T* loudly
announce the OS, kernel version, distribution and distribution release
number.

*	perhaps we could put pointers to ssh up somewhere. I've even
suggested that we could write a tool that downloads software from the net
( software that we can't include such as crypto stuff and nocd stuff ).
This would be easy enough for me to do, because I have written a simple
GUI ftp client already.

*	I have already written a GUI inetd configurator that could make it
easier for users to choose which inetd services they do and don't want. It
includes a description of each service, and gratuitous plugs for ssh (
which isn't perfect, but much better than the inetd services )

Cheers,
-- 
Donovan

References:
- Security matters
  - From: louis@pcmagic.net

Prev by Date: Re: VI, standards, politics and all that
Next by Date: Re: Security matters
Prev by thread: Security matters
Next by thread: Re: Security matters
Index(es):
- Date
- Thread