Hi,
If people use the tools we deliver with SuSE + their brains (note: we don't ship brains with SuSE), then they could get a very secure system within a short time of work.
This is NOT a good idea. Either the default install (and the default install for most people is `ALL') enables all the services, which IS
we don't sell a hyper-secure Linux, we sell a nearly complete and useable Linux. we have to go the small path between security and useablity, and in my opinion we do that very well.
crazy! No idea why identd, and similar have to run on a dialin machine?
identd: for IRC
Even at the university where I have installed some susis, I alwyas have to maually shut down all the irrelevant and dangerous services. Services
that's ok, because you know what's dangerous, but the unexperienced users just sees a not working system if we disable all services and remove all sbit's.
like telnet can be hacked or exploited very easy!
i can't remember a serious exploit for telnet in the past 4 years, but i remember some exploits for [Open-]SSH. if users use unencrypted traffic it's their fault. we also ship SSH and OpenSSH. we can't drop telnetd, because it's the standard program for logging in over network.
Hrhr... 'secure by default' nice buzzwords. AFAIK /usr/bin isn't audited and neither all the ports are. It's 99% secure as long as you just use the
Nobody says if you turn of all unnecessary services the system is secure, but it is MORE secure than standard and at least a pc all the time linked up to the inet is not as vulnerable as before.
right, but it's also more unusable.
SuSE 7.0 hast a YaST2 module, that allows the not-so-experienced User to modify /etc/inetd.conf in a easy way, to shut inetd off (even YaST1 ask for this) or to use a default /etc/inetd.conf. In future more security modules will be added to YaST2.
Thats good news!
*phew* nice to see, that I could make you happy. ;)
The experienced-power-ueber User uses vi or sed to edit the config-files and make their box secure.
thats true, but there are not only power users! The other way round would be better: experienced-ueber-drueber-power users can turn on all the services they need easily and fast!
we are not OpenBSD. (and that's good so) Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47