I like what OpenBSD does. It has most things turned off or *not* installed by
default that are considered security risks. The install is set up for you. You
add/delete packages later on, as needed but there is always enough man pages,
caveats, documentation to make an educated decision to use or not use a package
or service. In short, OpenBSD pretty much forces a newbie (such as myself) to
educate themselves before they can enable something that may "un-secure" their
machine.
At first it was a little annoying. I just wanted to jump and play with a new
OS. But after a week, I really started to appreciate the approach. Since I've
started using Linux and now OpenBSD, my computer/networking/security knowledge
has increased exponentially. Before all I knew were MacOS and Win95/NT which
severly limited the knowledge I had. It hampered my understanding of how things
_truly_ work.
I understand SuSE wanting a positive experience from new users especially. But
perhaps there's some middle ground? Education, though sometimes difficult is
almost always worthwhile!
My $0.02.
--- Thomas Biege
Hi,
If people use the tools we deliver with SuSE + their brains (note: we don't ship brains with SuSE), then they could get a very secure system within a short time of work.
This is NOT a good idea. Either the default install (and the default install for most people is `ALL') enables all the services, which IS
we don't sell a hyper-secure Linux, we sell a nearly complete and useable Linux. we have to go the small path between security and useablity, and in my opinion we do that very well.
crazy! No idea why identd, and similar have to run on a dialin machine?
identd: for IRC
Even at the university where I have installed some susis, I alwyas have to maually shut down all the irrelevant and dangerous services. Services
that's ok, because you know what's dangerous, but the unexperienced users just sees a not working system if we disable all services and remove all sbit's.
like telnet can be hacked or exploited very easy!
i can't remember a serious exploit for telnet in the past 4 years, but i remember some exploits for [Open-]SSH. if users use unencrypted traffic it's their fault. we also ship SSH and OpenSSH. we can't drop telnetd, because it's the standard program for logging in over network.
Hrhr... 'secure by default' nice buzzwords. AFAIK /usr/bin isn't audited and neither all the ports are. It's 99% secure as long as you just use the
Nobody says if you turn of all unnecessary services the system is secure, but it is MORE secure than standard and at least a pc all the time linked up to the inet is not as vulnerable as before.
right, but it's also more unusable.
SuSE 7.0 hast a YaST2 module, that allows the not-so-experienced User to modify /etc/inetd.conf in a easy way, to shut inetd off (even YaST1 ask for this) or to use a default /etc/inetd.conf. In future more security modules will be added to YaST2.
Thats good news!
*phew* nice to see, that I could make you happy. ;)
The experienced-power-ueber User uses vi or sed to edit the config-files and make their box secure.
thats true, but there are not only power users! The other way round would be better: experienced-ueber-drueber-power users can turn on all the services they need easily and fast!
we are not OpenBSD. (and that's good so)
Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
__________________________________________________ Do You Yahoo!? Yahoo! Mail � Free email you can access from anywhere! http://mail.yahoo.com/