On Tue, 22 Aug 2000, Erwin Zierler - Stubainet wrote:
All you have to do is to save all the config files which you are concerned about and make a little tarball. If you are installing the same kind of machines more often it will save you alot of time to use the save-config option ins YAST(2) and you will have your standard installation ready for future installations. Then create your 'standard' inetd.conf and also save it for future installations.
For me it is not a problem to configure a new installation in the manner i like (turning off all but ssh, putting up a packetfilter which kills all but a view things), but for a lot of people giving linux a try...
Hmmm... not sure about that really. If you are serious about configuring i.e. a web-/mail-server, firewall or gateway you should definitely check what is REALLY going on when you change some settings in a dialog box or even in /etc/rc.config. More options in a configuration tool will never give you a more secure system, it only gives you more chances to do it right or wrong. If we really want to talk about security of a Linux distribution we should not discuss the GUI or related issues but rather the potential vulnerabilities and where/how we can avoid them.
That would be the best way, just take debian if you like this. And I really think about getting debian, but I am very content with susi, because at least I know where I have to turn off all SuSeconfig stuff resetting my settings. I tried DeadRat - no comment on where to find anything ;-) I agree that it IS necessary to have a more/less secure(?) system to know it quite good, i.e. to know what is doing what, which services, ... But as I said, a lot of people try linux and want a running system (is identd necessary for irc ???, don't think so, I do not have identd running AND I am irc-ing ;-), but * why is xdm listening to the net? (:X -no-listen) would be nice. If someone wants to set up a box serving more terminal, he is a power user and KNOWS where to get rid of this. * fingerd? Normally not necessary, turn off for the average dialin/cable user * ... All these services are NOT essential, not even ftpd. You could even standrad turn off apache listening to other hosts than localhost!
Would be nice for people who run servers only, but there are other folks out there with other needs. Alot of processes on every Un*x system need certain ports for inter-process communication (X is one of them) so turning off everything by default might get many customers upset. And since SuSE is cetainly not interrested in loosing a large customer base I can't imagine they will ever ship their distribution in such a 'secure' but for many people unusable default configuration.
see above, one part in the handbook would be: Most of the services not necessary for basic use are turned off. The sysadm should be able to activate all these features... Best wishes Norbert -- ciao norb +-------------------------------------------------------------------+ | Norbert Preining http://www.logic.at/people/preining | | University of Technology Vienna, Austria preining@logic.at | | DSA: 0x09C5B094 (RSA: 0xCF1FA165) mail subject: get [DSA|RSA]-key | +-------------------------------------------------------------------+