|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
Re: secure installation
Date: Mon Aug 20 2007 - 14:43:10 EDT
Javier Fernández-Sanguino Peña <jfs@computer.org> writes:
> You'll find that a simple default Debian installation of etch is not
> really that exposed:
> - exim MTA configured to loopback only
> - portmap installed, open to the world, but can be configured for loopback
> only
> - identd installed, but with no services which makes it not run at all
> (unless you install some other inetd services that is).
> - sshd (server) not installed by default
> Portmap is needed for NFS support out of the box and, IIRC, for GNOME's
> fam but can easily be configured to be loopback-only.
It would be rather nice if Gnome could default to gamin instead of fam, since it doesn't require network services. That's one of the first things I change about any Gnome installation.
> Later releases (6.06) dropped portmap altogether. But the latest release
> (6.10) [2] installs Avahi (mDNS) open to the world, they decided to do
> this due to the features it provided (Zeroconf) and after making sure it
> had been properly audited.
> However, there have been more Avahi vulnerabilities (3 DoS and 1 remote
> BoF since 2006) than there have been in Wietse Venema's portmap's (1 DOS
> vulnerability in 1998).
I think the decision to install Avahi by default is rather questionable; it really isn't clear to me that Zeroconf is such a killer feature as to be worth the additional potential security trouble. But maybe we could arrive at some sort of compromise where the daemon doesn't run by default but the user has some simple way of starting it and stopping it when it's of interest?
-- Russ Allbery ( rra(at)debian.org) < http://www.eyrie.org/~eagle/>Received on Mon Aug 20 14:44:09 2007
This archive was generated by hypermail 2.1.8 : Sun Oct 07 2007 - 07:52:51 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |