At 09:20 22.08.00 +0200,
On Tue, 22 Aug 2000, Thomas Biege wrote:
If people use the tools we deliver with SuSE + their brains (note: we don't ship brains with SuSE), then they could get a very secure system within a short time of work.
This is NOT a good idea. Either the default install (and the default install for most people is `ALL') enables all the services, which IS
I have installed SuSE on quite a few machines since version 5.3 for different purposes (webservers, mailservers, firewalls, desktop machines,...) but I _never_ needed or wanted to install ALL :-)
crazy! No idea why identd, and similar have to run on a dialin machine? Even at the university where I have installed some susis, I alwyas have to maually shut down all the irrelevant and dangerous services. Services like telnet can be hacked or exploited very easy!
All you have to do is to save all the config files which you are concerned about and make a little tarball. If you are installing the same kind of machines more often it will save you alot of time to use the save-config option ins YAST(2) and you will have your standard installation ready for future installations. Then create your 'standard' inetd.conf and also save it for future installations.
Hrhr... 'secure by default' nice buzzwords. AFAIK /usr/bin isn't audited and neither all the ports are. It's 99% secure as long as you just use the
Nobody says if you turn of all unnecessary services the system is secure, but it is MORE secure than standard and at least a pc all the time linked up to the inet is not as vulnerable as before.
This is true to some degree, BUT: 'secure' is a term which one could stretch very far in both directions. I have seen a NT based commercial Firewall machine that runs pcanywhere as a service which made me wonder what most administrators consider 'secure'. After spending several days to figure out firewall concepts and the use of ipchains I came to the conclusion that as soon as you are running ANY service on a machine that is connected (permanantly or temporarily) to the internet you have a potential security hole. The degree of the vulnerability (or security) not only depends on what services you run but also on issues like monitoring, intrusion detection, local users and reading security related mailinglists and websites.
SuSE 7.0 hast a YaST2 module, that allows the not-so-experienced User to modify /etc/inetd.conf in a easy way, to shut inetd off (even YaST1 ask for this) or to use a default /etc/inetd.conf. In future more security modules will be added to YaST2.
Thats good news!
Hmmm... not sure about that really. If you are serious about configuring i.e. a web-/mail-server, firewall or gateway you should definitely check what is REALLY going on when you change some settings in a dialog box or even in /etc/rc.config. More options in a configuration tool will never give you a more secure system, it only gives you more chances to do it right or wrong. If we really want to talk about security of a Linux distribution we should not discuss the GUI or related issues but rather the potential vulnerabilities and where/how we can avoid them.
The experienced-power-ueber User uses vi or sed to edit the config-files and make their box secure.
thats true, but there are not only power users! The other way round would be better: experienced-ueber-drueber-power users can turn on all the services they need easily and fast!
Would be nice for people who run servers only, but there are other folks out there with other needs. Alot of processes on every Un*x system need certain ports for inter-process communication (X is one of them) so turning off everything by default might get many customers upset. And since SuSE is cetainly not interrested in loosing a large customer base I can't imagine they will ever ship their distribution in such a 'secure' but for many people unusable default configuration.
-- ciao norb
Regards, Erwin