On Tue, Dec 06, 2011 at 07:20:54PM -0300, Cristian Rodríguez wrote:
On 06/12/11 16:10, Brian K. White wrote:
Having a lot lot of stuff exposed and believing that it's all ok is fundamentally less secure than not exposing anything in the first place.
isn't that essentially "security through obscurity" (aka, path to fail ? )
What Brian suggested isn't security by obscurity. It's a simple and passive approach. To me he illustrated it well with running but not needed services. Each non listening port can't cause a risk, never can be exploited. It's quite obvious that enabled/ running services are subject of the well known secure coding rules. This includes reviews as they are performed for example by the SUSE security team. From the rules how the security team values incidents - is a service started by default, does it listen on external interfaces, is it run as non root user, inside of a chroot - Marcus' arguments sound quite well. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany