[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security matters

On Mon, 9 Aug 1999, Lee Sharp wrote:

> >* possibly put ALL:ALL in /etc/hosts.deny. I believe that you should
> >know what you are doing to turn this stuff *ON* , not to turn it off.
>    I disagree with this on.  People will run services on this, and will
> wonder why they don't work.  Turning off the network will hurt more than
> help.

I still think ALL:ALL is a good default ( we could explicitly turn on
stuff we wanted in hosts.allow ) 

But I guess we could just comment out stuff in inetd.conf. 

>    But, turn off telnet for root.

Already is by default ( they also turn off ftp for root )

>    Could this be checkable in the install?  This one should be a choice.

It's be nice to make this a choice. 

Another middle road would be just to prevent finger @host ( this is an
easy way for crackers to get a free list of usernames to try out )

>    Inde Linux!  Some Version.  www.seul.org/independence/ for the latest!
> We still advertise, but give no information.

Sounds good (-;

>    There are sites that allow this.  Best bet would be to point the download
> to a redirect off our FTP site.  That way if the distribution site has to
> move, our install is still valid.

Yep, the ftp.replay.com is the one I was thinking of. It includes the
"Redhat crypto" distribution.

> >* I have already written a GUI inetd configurator that could make it
> >easier for users to choose which inetd services they do and don't want. It
> >includes a description of each service, and gratuitous plugs for ssh (
> >which isn't perfect, but much better than the inetd services )
>    Best thing yet.  This RPM could be uploaded to RH, and posted about on
> the linux security newsgroups to gain Inde more exposure.  It is REALLY
> needed.

Cool. I might do just that ...