[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security matters



>I agree, in fact I ranted about this some time back. I suggest that:

>* rlogin, rsh, inf act "r-anything" be turned off by default. These
>services are horendously insecure.

   I agree here.  Also, it is only mre advanced users that use them, and can
figure out how to turn them on.

>* possibly put ALL:ALL in /etc/hosts.deny. I believe that you should
>know what you are doing to turn this stuff *ON* , not to turn it off.

   I disagree with this on.  People will run services on this, and will
wonder why they don't work.  Turning off the network will hurt more than
help.

>Maybe make some exceptions for telnet and restrict it to local access
>( everyone seems to use it. The US crypto laws have really helped slow the
>general move to secure software. )

   But, turn off telnet for root.

>* disallow remote fingers by default. Or at least block "finger
>@host"

>in.fingerd ALL EXCEPT local
>or even
>ALL EXCEPT 127.0.0.1

   Could this be checkable in the install?  This one should be a choice.

>* modify /etc/issue and /etc/issue.net so that they *DON'T* loudly
>announce the OS, kernel version, distribution and distribution release
>number.

   Inde Linux!  Some Version.  www.seul.org/independence/ for the latest!
We still advertise, but give no information.

>* perhaps we could put pointers to ssh up somewhere. I've even
>suggested that we could write a tool that downloads software from the net
>( software that we can't include such as crypto stuff and nocd stuff ).
>This would be easy enough for me to do, because I have written a simple
>GUI ftp client already.

   There are sites that allow this.  Best bet would be to point the download
to a redirect off our FTP site.  That way if the distribution site has to
move, our install is still valid.

>* I have already written a GUI inetd configurator that could make it
>easier for users to choose which inetd services they do and don't want. It
>includes a description of each service, and gratuitous plugs for ssh (
>which isn't perfect, but much better than the inetd services )

   Best thing yet.  This RPM could be uploaded to RH, and posted about on
the linux security newsgroups to gain Inde more exposure.  It is REALLY
needed.

            Lee