FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 05-17-2008, 12:41 AM
Rico Secada
 
Default Debian secure by default?

Hi.

Why is Debian not setup to be secure be default?

Not everyone is a security expert so imho the system should be fully
secured out-of-the-box.

Best regards.

Rico.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-17-2008, 12:47 AM
"Christofer C. Bell"
 
Default Debian secure by default?

On Fri, May 16, 2008 at 7:41 PM, Rico Secada <coolzone@it.dk> wrote:
> Hi.
>
> Why is Debian not setup to be secure be default?
>
> Not everyone is a security expert so imho the system should be fully
> secured out-of-the-box.

So, do you have something worthwhile to say or is this just a case of
"the bull elephant trumpeting to the herd"?

--
Chris


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-17-2008, 01:12 AM
Raj Kiran Grandhi
 
Default Debian secure by default?

Rico Secada wrote:

Hi.

Why is Debian not setup to be secure be default?

Not everyone is a security expert so imho the system should be fully
secured out-of-the-box.


Please elaborate on what you consider to be the insecure parts of a
default installation. Describe a process by which an etch system can be
compromised remotely. Obviously, the ability to become root by tweaking
the boot parameters from the grub screen does not count as a vulnerability.



--
Raj Kiran Grandhi
--
Politics is for the moment. An equation is for eternity.
-- Albert Einstein


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-17-2008, 02:01 AM
lostson
 
Default Debian secure by default?

On Sat, 2008-05-17 at 06:42 +0530, Raj Kiran Grandhi wrote:
> Rico Secada wrote:
> > Hi.
> >
> > Why is Debian not setup to be secure be default?
> >
> > Not everyone is a security expert so imho the system should be fully
> > secured out-of-the-box.
>
> Please elaborate on what you consider to be the insecure parts of a
> default installation. Describe a process by which an etch system can be
> compromised remotely. Obviously, the ability to become root by tweaking
> the boot parameters from the grub screen does not count as a vulnerability.
>
>
> --
> Raj Kiran Grandhi
> --
> Politics is for the moment. An equation is for eternity.
> -- Albert Einstein
>
>
My 2 cents a default firewall would be nice

LostSon


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-17-2008, 02:02 AM
"Paul Johnson"
 
Default Debian secure by default?

On Friday 16 May 2008 07:01:38 pm lostson wrote:
> On Sat, 2008-05-17 at 06:42 +0530, Raj Kiran Grandhi wrote:
> > Rico Secada wrote:
> > > Hi.
> > >
> > > Why is Debian not setup to be secure be default?
> > >
> > > Not everyone is a security expert so imho the system should be fully
> > > secured out-of-the-box.
> >
> > Please elaborate on what you consider to be the insecure parts of a
> > default installation. Describe a process by which an etch system can be
> > compromised remotely. Obviously, the ability to become root by tweaking
> > the boot parameters from the grub screen does not count as a
> > vulnerability.
>
> My 2 cents a default firewall would be nice

You mean like Windows has? How about not. Here's why:
http://samspade.org/d/firewalls.html

--
Paul Johnson
baloo@ursine.ca

Explaination of .pgp part: http://linuxmafia.com/faq/Mail/rant-gpg.html
 
Old 05-17-2008, 02:09 AM
Lee Glidewell
 
Default Debian secure by default?

On Friday 16 May 2008 07:02:59 pm Paul Johnson wrote:
> On Friday 16 May 2008 07:01:38 pm lostson wrote:
> >
> > My 2 cents a default firewall would be nice
>
> You mean like Windows has? How about not. Here's why:
> http://samspade.org/d/firewalls.html
The money quote from that link:
"So... what does a 'personal firewall' actually do? Well, effectively it
listens on all the ports on your system. This provides no real additional
security over turning off the services that you don't use."

The nature and purpose of a "firewall" seems to be greatly misunderstood.
Personally, I think security vendor hype is as much to blame as naivete.

Lee


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-17-2008, 02:39 AM
lostson
 
Default Debian secure by default?

On Fri, 2008-05-16 at 19:09 -0700, Lee Glidewell wrote:
> On Friday 16 May 2008 07:02:59 pm Paul Johnson wrote:
> > On Friday 16 May 2008 07:01:38 pm lostson wrote:
> > >
> > > My 2 cents a default firewall would be nice
> >
> > You mean like Windows has? How about not. Here's why:
> > http://samspade.org/d/firewalls.html
> The money quote from that link:
> "So... what does a 'personal firewall' actually do? Well, effectively it
> listens on all the ports on your system. This provides no real additional
> security over turning off the services that you don't use."
>
> The nature and purpose of a "firewall" seems to be greatly misunderstood.
> Personally, I think security vendor hype is as much to blame as naivete.
>
> Lee
>
>
So basically a firewall is useless ?

LostSon


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-17-2008, 03:20 AM
Mike Bird
 
Default Debian secure by default?

On Fri May 16 2008 19:39:27 lostson wrote:
> On Fri, 2008-05-16 at 19:09 -0700, Lee Glidewell wrote:
> > On Friday 16 May 2008 07:02:59 pm Paul Johnson wrote:
> > "So... what does a 'personal firewall' actually do? Well, effectively it
> > listens on all the ports on your system. This provides no real additional
> > security over turning off the services that you don't use."
> >
> > The nature and purpose of a "firewall" seems to be greatly misunderstood.
> > Personally, I think security vendor hype is as much to blame as naivete.
>
> So basically a firewall is useless ?

A firewall does not listen on any ports. (There may be windows products
which are sold as firewalls and which listen on all ports but they are not
actually firewalls.)

The main function of a firewall is to limit access to open ports. If you
have no open ports the firewall is not limiting access. Some argue from
this that since a firewall appears to be superfluous, and since a firewall
is additional software and carries the possibility of additional security
bugs, that a personal firewall is worse than useless. However there are
two additional points to consider.

1) A firewall can block access to ports that are open that you don't know
are open. For example, ports opened by malware.

2) A firewall, if very carefully configured, can block unwanted outgoing
traffic. For example, a firewall might prevent malware from emailing
your email contacts and credit card details to a cracker. However this
is not easy.

Both of these considerations currently apply much more to infection-prone
Windows than Linux.

Personally, I use few firewalls these days on Linux boxes, and when I do
it is usually for some special effect related to VPNs rather than a
classical firewall limiting access to open ports. However I use a lot
of firewalls in routers, particularly to make it harder for malware to
send spam and to reduce the spread of malware infections between Windows
boxen.

In a standard Debian workstation with no services listening you really
don't need a firewall today. This may change if Linux in the future
should suffer from malware like Windows does today. Linux is just as
susceptible as Windows to a trojan that tricks people into running a
program that mails out all their email contacts, or all strings that
match a credit card number regex.

If you start a service - Apache or FTP or anything else - then you are
responsible for securing it, whether by passwords or certificates or
firewalls or otherwise. It's easy to start a service. It's not easy
to secure a service. Don't start a service until you know how to secure
it, no matter how easy is. This applies to all OS's.

--Mike Bird


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-17-2008, 03:54 AM
Lee Glidewell
 
Default Debian secure by default?

On Friday 16 May 2008 07:39:27 pm lostson wrote:
> On Fri, 2008-05-16 at 19:09 -0700, Lee Glidewell wrote:
> > On Friday 16 May 2008 07:02:59 pm Paul Johnson wrote:
> > > On Friday 16 May 2008 07:01:38 pm lostson wrote:
> > > > My 2 cents a default firewall would be nice
> > >
> > > You mean like Windows has? How about not. Here's why:
> > > http://samspade.org/d/firewalls.html
> >
> > The money quote from that link:
> > "So... what does a 'personal firewall' actually do? Well, effectively it
> > listens on all the ports on your system. This provides no real additional
> > security over turning off the services that you don't use."
> >
> > The nature and purpose of a "firewall" seems to be greatly misunderstood.
> > Personally, I think security vendor hype is as much to blame as naivete.
> >
> > Lee
>
> So basically a firewall is useless ?
>
> LostSon

Well, no, I wouldn't go that far. I would say, however, that a generic,
all-purpose software firewall isn't going improve Debian's "out of the box"
security.

If you know what you're doing, on the other hand, packet filtering software is
incredibly useful. The point about the hardware firewalls boils down to two
facts:
1) If you're serious about security, you should separate services. This means
giving iptables its own box (e.g., a retail NAT router) rather than assigning
a workstation to double-duty.
2) If you don't want to set up your own filtering rules, a retail NAT router
is a better solution than an iptables configuration utility.

The bottom line, IMO, is that a "firewall" is only a set of rules. How useful
it is can only be judged in light of the specific function of the computer
it's protecting.

Lee


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 05-17-2008, 08:36 AM
Rico Secada
 
Default Debian secure by default?

On Fri, 16 May 2008 19:47:10 -0500
"Christofer C. Bell" <christofer.c.bell@gmail.com> wrote:

> On Fri, May 16, 2008 at 7:41 PM, Rico Secada <coolzone@it.dk> wrote:
> > Hi.
> >
> > Why is Debian not setup to be secure be default?
> >
> > Not everyone is a security expert so imho the system should be fully
> > secured out-of-the-box.
>
> So, do you have something worthwhile to say or is this just a case of
> "the bull elephant trumpeting to the herd"?

I hope not.. no.


> --
> Chris
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 07:47 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org