Re: [suse-security] Secure By Default - PLEASE!
At 09:20 22.08.00 +0200, <preining@logic.at> wrote:
On Tue, 22 Aug 2000, Thomas Biege wrote:
If people use the tools we deliver with SuSE + their brains (note: we don't ship brains with SuSE), then they could get a very secure system within a short time of work.
This is NOT a good idea. Either the default install (and the default install for most people is `ALL') enables all the services, which IS
I have installed SuSE on quite a few machines since version 5.3 for different purposes (webservers, mailservers, firewalls, desktop machines,...) but I _never_ needed or wanted to install ALL :-)
crazy! No idea why identd, and similar have to run on a dialin machine? Even at the university where I have installed some susis, I alwyas have to maually shut down all the irrelevant and dangerous services. Services like telnet can be hacked or exploited very easy!
All you have to do is to save all the config files which you are concerned about and make a little tarball. If you are installing the same kind of machines more often it will save you alot of time to use the save-config option ins YAST(2) and you will have your standard installation ready for future installations. Then create your 'standard' inetd.conf and also save it for future installations.
Hrhr... 'secure by default' nice buzzwords. AFAIK /usr/bin isn't audited and neither all the ports are. It's 99% secure as long as you just use the
Nobody says if you turn of all unnecessary services the system is secure, but it is MORE secure than standard and at least a pc all the time linked up to the inet is not as vulnerable as before.
This is true to some degree, BUT: 'secure' is a term which one could stretch very far in both directions. I have seen a NT based commercial Firewall machine that runs pcanywhere as a service which made me wonder what most administrators consider 'secure'. After spending several days to figure out firewall concepts and the use of ipchains I came to the conclusion that as soon as you are running ANY service on a machine that is connected (permanantly or temporarily) to the internet you have a potential security hole. The degree of the vulnerability (or security) not only depends on what services you run but also on issues like monitoring, intrusion detection, local users and reading security related mailinglists and websites.
SuSE 7.0 hast a YaST2 module, that allows the not-so-experienced User to modify /etc/inetd.conf in a easy way, to shut inetd off (even YaST1 ask for this) or to use a default /etc/inetd.conf. In future more security modules will be added to YaST2.
Thats good news!
Hmmm... not sure about that really. If you are serious about configuring i.e. a web-/mail-server, firewall or gateway you should definitely check what is REALLY going on when you change some settings in a dialog box or even in /etc/rc.config. More options in a configuration tool will never give you a more secure system, it only gives you more chances to do it right or wrong. If we really want to talk about security of a Linux distribution we should not discuss the GUI or related issues but rather the potential vulnerabilities and where/how we can avoid them.
The experienced-power-ueber User uses vi or sed to edit the config-files and make their box secure.
thats true, but there are not only power users! The other way round would be better: experienced-ueber-drueber-power users can turn on all the services they need easily and fast!
Would be nice for people who run servers only, but there are other folks out there with other needs. Alot of processes on every Un*x system need certain ports for inter-process communication (X is one of them) so turning off everything by default might get many customers upset. And since SuSE is cetainly not interrested in loosing a large customer base I can't imagine they will ever ship their distribution in such a 'secure' but for many people unusable default configuration.
-- ciao norb
Regards, Erwin
On Tue, 22 Aug 2000, Erwin Zierler - Stubainet wrote:
All you have to do is to save all the config files which you are concerned about and make a little tarball. If you are installing the same kind of machines more often it will save you alot of time to use the save-config option ins YAST(2) and you will have your standard installation ready for future installations. Then create your 'standard' inetd.conf and also save it for future installations.
For me it is not a problem to configure a new installation in the manner i like (turning off all but ssh, putting up a packetfilter which kills all but a view things), but for a lot of people giving linux a try...
Hmmm... not sure about that really. If you are serious about configuring i.e. a web-/mail-server, firewall or gateway you should definitely check what is REALLY going on when you change some settings in a dialog box or even in /etc/rc.config. More options in a configuration tool will never give you a more secure system, it only gives you more chances to do it right or wrong. If we really want to talk about security of a Linux distribution we should not discuss the GUI or related issues but rather the potential vulnerabilities and where/how we can avoid them.
That would be the best way, just take debian if you like this. And I really think about getting debian, but I am very content with susi, because at least I know where I have to turn off all SuSeconfig stuff resetting my settings. I tried DeadRat - no comment on where to find anything ;-) I agree that it IS necessary to have a more/less secure(?) system to know it quite good, i.e. to know what is doing what, which services, ... But as I said, a lot of people try linux and want a running system (is identd necessary for irc ???, don't think so, I do not have identd running AND I am irc-ing ;-), but * why is xdm listening to the net? (:X -no-listen) would be nice. If someone wants to set up a box serving more terminal, he is a power user and KNOWS where to get rid of this. * fingerd? Normally not necessary, turn off for the average dialin/cable user * ... All these services are NOT essential, not even ftpd. You could even standrad turn off apache listening to other hosts than localhost!
Would be nice for people who run servers only, but there are other folks out there with other needs. Alot of processes on every Un*x system need certain ports for inter-process communication (X is one of them) so turning off everything by default might get many customers upset. And since SuSE is cetainly not interrested in loosing a large customer base I can't imagine they will ever ship their distribution in such a 'secure' but for many people unusable default configuration.
see above, one part in the handbook would be: Most of the services not necessary for basic use are turned off. The sysadm should be able to activate all these features... Best wishes Norbert -- ciao norb +-------------------------------------------------------------------+ | Norbert Preining http://www.logic.at/people/preining | | University of Technology Vienna, Austria preining@logic.at | | DSA: 0x09C5B094 (RSA: 0xCF1FA165) mail subject: get [DSA|RSA]-key | +-------------------------------------------------------------------+
[...]
That would be the best way, just take debian if you like this. And I really think about getting debian, but I am very content with susi, because at least I know where I have to turn off all SuSeconfig stuff resetting my settings. I tried DeadRat - no comment on where to find anything ;-)
Distributions differ in the way organisational problems are solved. There are many things that developers (worldwide as well as ours) would like to correct or change, but if they did so, we'd have thousands of users complain about the changes. Linux differs from UN*X wrt to the backwards compatibility commission. It doesn't claim to support the bugs and legacy problems from the past, which (hopefully) turns out to be a strength in the market. Basically, this is the reason why SuSE distributions (and others of course) get published 3-4 times a year. The distributor's task is now to balance opinions btw the user and the developer side, between useability and security. Personally, I'd rather not claim that this task is single-dimensional.
I agree that it IS necessary to have a more/less secure(?) system to know it quite good, i.e. to know what is doing what, which services, ... But as I said, a lot of people try linux and want a running system (is identd necessary for irc ???, don't think so, I do not have identd running AND I am irc-ing ;-), but * why is xdm listening to the net? (:X -no-listen) would be nice. If someone wants to set up a box serving more terminal, he is a power user and KNOWS where to get rid of this.
Agreed. xdm doesn't listen on sockets any more since SuSE-6.4.
* fingerd? Normally not necessary, turn off for the average dialin/cable user * ... All these services are NOT essential, not even ftpd. You could even standrad turn off apache listening to other hosts than localhost!
Would be nice for people who run servers only, but there are other folks out there with other needs. Alot of processes on every Un*x system need certain ports for inter-process communication (X is one of them) so turning off everything by default might get many customers upset. And since SuSE is cetainly not interrested in loosing a large customer base I can't imagine they will ever ship their distribution in such a 'secure' but for many people unusable default configuration.
see above, one part in the handbook would be: Most of the services not necessary for basic use are turned off. The sysadm should be able to activate all these features...
Best wishes Norbert
Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
participants (3)
-
Erwin Zierler - Stubainet -
Norbert Preining -
Roman Drahtmueller