[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security matters
On Mon, 9 Aug 1999 firstname.lastname@example.org wrote:
> I keep hearing about "script kiddies" and more and more Linux cracking
> going on. Would it be a good idea to close up some of the worst
> vulnerabilites? For us beginners, it's hard to figure out how to turn off
> all those unneeded services. Here in the US, it's common to stay online
> for hours at a time, and I'm getting concerned about it.
> I know Bastille Linux is also based on Red Hat, and there are various
> scripts floating around .... I think after ease-of-use, security could be
> a secondary objective. [Yes, I know that security is antithical to
I agree, in fact I ranted about this some time back. I suggest that:
* rlogin, rsh, inf act "r-anything" be turned off by default. These
services are horendously insecure.
* possibly put ALL:ALL in /etc/hosts.deny. I believe that you should
know what you are doing to turn this stuff *ON* , not to turn it off.
Maybe make some exceptions for telnet and restrict it to local access
( everyone seems to use it. The US crypto laws have really helped slow the
general move to secure software. )
* disallow remote fingers by default. Or at least block "finger
in.fingerd ALL EXCEPT local
ALL EXCEPT 127.0.0.1
* modify /etc/issue and /etc/issue.net so that they *DON'T* loudly
announce the OS, kernel version, distribution and distribution release
* perhaps we could put pointers to ssh up somewhere. I've even
suggested that we could write a tool that downloads software from the net
( software that we can't include such as crypto stuff and nocd stuff ).
This would be easy enough for me to do, because I have written a simple
GUI ftp client already.
* I have already written a GUI inetd configurator that could make it
easier for users to choose which inetd services they do and don't want. It
includes a description of each service, and gratuitous plugs for ssh (
which isn't perfect, but much better than the inetd services )