Mailinglist Archive: opensuse-security (670 mails)
| < Previous | Next > |
Re: [suse-security] SuSE and tcpd
- From: Bob Vickers <bobv@xxxxxxxxxxxxx>
- Date: Thu, 15 Nov 2001 11:19:17 +0000 (GMT)
- Message-id: <Pine.OSF.4.33.0111151108520.24307-100000@xxxxxxxxxxxxxxxxxxxxx>
In my opinion the correct strategy for pretty well any system manager is
to put
# Deny everything not explicitly allowed in hosts.allow
ALL: ALL
in /etc/hosts.deny, then figure out what you need in hosts.allow to make
services work. This way you may lose a service for an hour or so while you
experiment with different service names; the other way you can very easily
end up running an unprotected service for ever because you have made a
mistake.
This certainly applies to workstation managers who are unlikely to want
to run services anyway, and it applies to managers of important servers
who are very serious about security.
So, a request to SuSE: how about changing the default? You could
distribute a well-documented hosts.allow which made it pretty well
impossible to choose the wrong service name.
Regards,
Bob
==============================================================
Bob Vickers R.Vickers@xxxxxxxxxxxxx
Dept of Computer Science, Royal Holloway, University of London
WWW: http://www.cs.rhul.ac.uk/home/bobv
Phone: +44 1784 443691
to put
# Deny everything not explicitly allowed in hosts.allow
ALL: ALL
in /etc/hosts.deny, then figure out what you need in hosts.allow to make
services work. This way you may lose a service for an hour or so while you
experiment with different service names; the other way you can very easily
end up running an unprotected service for ever because you have made a
mistake.
This certainly applies to workstation managers who are unlikely to want
to run services anyway, and it applies to managers of important servers
who are very serious about security.
So, a request to SuSE: how about changing the default? You could
distribute a well-documented hosts.allow which made it pretty well
impossible to choose the wrong service name.
Regards,
Bob
==============================================================
Bob Vickers R.Vickers@xxxxxxxxxxxxx
Dept of Computer Science, Royal Holloway, University of London
WWW: http://www.cs.rhul.ac.uk/home/bobv
Phone: +44 1784 443691
| < Previous | Next > |