[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security matters

To: <independence-l@independence.seul.org>
Subject: Re: Security matters
From: "Lee Sharp" <lee@insync.net>
Date: Mon, 9 Aug 1999 14:29:58 -0500
Reply-To: independence-l@independence.seul.org
Sender: owner-independence-l@independence.seul.org

>I agree, in fact I ranted about this some time back. I suggest that:

>* rlogin, rsh, inf act "r-anything" be turned off by default. These
>services are horendously insecure.

   I agree here.  Also, it is only mre advanced users that use them, and can
figure out how to turn them on.

>* possibly put ALL:ALL in /etc/hosts.deny. I believe that you should
>know what you are doing to turn this stuff *ON* , not to turn it off.

   I disagree with this on.  People will run services on this, and will
wonder why they don't work.  Turning off the network will hurt more than
help.

>Maybe make some exceptions for telnet and restrict it to local access
>( everyone seems to use it. The US crypto laws have really helped slow the
>general move to secure software. )

   But, turn off telnet for root.

>* disallow remote fingers by default. Or at least block "finger
>@host"

>in.fingerd ALL EXCEPT local
>or even
>ALL EXCEPT 127.0.0.1

   Could this be checkable in the install?  This one should be a choice.

>* modify /etc/issue and /etc/issue.net so that they *DON'T* loudly
>announce the OS, kernel version, distribution and distribution release
>number.

   Inde Linux!  Some Version.  www.seul.org/independence/ for the latest!
We still advertise, but give no information.

>* perhaps we could put pointers to ssh up somewhere. I've even
>suggested that we could write a tool that downloads software from the net
>( software that we can't include such as crypto stuff and nocd stuff ).
>This would be easy enough for me to do, because I have written a simple
>GUI ftp client already.

   There are sites that allow this.  Best bet would be to point the download
to a redirect off our FTP site.  That way if the distribution site has to
move, our install is still valid.

>* I have already written a GUI inetd configurator that could make it
>easier for users to choose which inetd services they do and don't want. It
>includes a description of each service, and gratuitous plugs for ssh (
>which isn't perfect, but much better than the inetd services )

   Best thing yet.  This RPM could be uploaded to RH, and posted about on
the linux security newsgroups to gain Inde more exposure.  It is REALLY
needed.

            Lee

Follow-Ups:
- Re: Security matters
  - From: Donovan Rebbechi <elflord@pegasus.rutgers.edu>

Prev by Date: Re: Security matters
Next by Date: Re: Security matters
Prev by thread: Re: Inde CD
Next by thread: Re: Security matters
Index(es):
- Date
- Thread