[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security matters
>I agree, in fact I ranted about this some time back. I suggest that:
>* rlogin, rsh, inf act "r-anything" be turned off by default. These
>services are horendously insecure.
I agree here. Also, it is only mre advanced users that use them, and can
figure out how to turn them on.
>* possibly put ALL:ALL in /etc/hosts.deny. I believe that you should
>know what you are doing to turn this stuff *ON* , not to turn it off.
I disagree with this on. People will run services on this, and will
wonder why they don't work. Turning off the network will hurt more than
>Maybe make some exceptions for telnet and restrict it to local access
>( everyone seems to use it. The US crypto laws have really helped slow the
>general move to secure software. )
But, turn off telnet for root.
>* disallow remote fingers by default. Or at least block "finger
>in.fingerd ALL EXCEPT local
>ALL EXCEPT 127.0.0.1
Could this be checkable in the install? This one should be a choice.
>* modify /etc/issue and /etc/issue.net so that they *DON'T* loudly
>announce the OS, kernel version, distribution and distribution release
Inde Linux! Some Version. www.seul.org/independence/ for the latest!
We still advertise, but give no information.
>* perhaps we could put pointers to ssh up somewhere. I've even
>suggested that we could write a tool that downloads software from the net
>( software that we can't include such as crypto stuff and nocd stuff ).
>This would be easy enough for me to do, because I have written a simple
>GUI ftp client already.
There are sites that allow this. Best bet would be to point the download
to a redirect off our FTP site. That way if the distribution site has to
move, our install is still valid.
>* I have already written a GUI inetd configurator that could make it
>easier for users to choose which inetd services they do and don't want. It
>includes a description of each service, and gratuitous plugs for ssh (
>which isn't perfect, but much better than the inetd services )
Best thing yet. This RPM could be uploaded to RH, and posted about on
the linux security newsgroups to gain Inde more exposure. It is REALLY