[lug] Security

Tue Feb 15 12:43:25 MST 2000

On Tue, Feb 15, 2000 at 09:44:21AM -0700, Kyle Moore wrote:
> Do you think it would be good if the installer (of whatever OS you are
> installing) prompted you for at least two different kinds of security.
> Maybe it gave you a screen that said 1)Would you like to set your system
> up to be more secure or 2)Would you like default security. I am from the
> school of "install as little as possible to do the job" but I know many
> people don't. I just think it is a joke that some people have NIS, NFS,
> Samba, Sendmail, Apache, a database, a proxy server, dns, a news server,
> snmp, etc. running on a machine and they don't even know it. I think at
> the very least it should install the product but not start it at boot
> until it is configured. 

A few ways to go here:

1) Packages for various types of systems that "tighten up" security.  I
think someone already mentioned Bastille.
2) Knowing what you're doing, and how to run a text editor.
3) Separate firewall box - cheap.

For #1, many of the users who've taken the time to read the
Security-HOWTO and other security documentation don't need them, and
don't really want to take the time to create them.

#2 is the best option, but generally, people won't do it.

#3 is becoming a reality quickly.  I believe the folks at NetGear or
one of the other low-end NIC card manufacturers have come up with some
small boxes in the $200 price range that you can put between a network
of computers and your DSL/Cable modem.  They handle NAT so you don't
need a slew of static IP's for your network, and they have a software
package for installation/configuration -- probably for Windoze.  If you
are using the #2 approach, you can build this yourself from a
spare-parts PC (486's do fine... just don't crank up the logging...).

Haven't seen one of the small firewall boxes yet, but I *know* I saw 
the press release.  I remember that because a friend is building a 
BSD-based firewall on one of those tiny little Pentium motherboards 
at home, and was considering selling them.... someone beat him to it!  :)

> With DSL and cable modems becoming more popular, I think it would be
> great if the OS made it easier for someone without much knowledge to
> have a somewhat secure system. Maybe this means the first choice of an
> install is beginner or expert. The expert side would leave you alone to
> shoot yourself in the foot. The beginner install would as you about
> security and explain what the packages you have selected actually do.
> When you have a Linux box that you use for internet access and you
> select NIS and NFS, the install says what they are for and they allows
> you to change your selection.

This is one of the reasons I dislike "package groups" on the versions of
Linux that use package managers... you get all sorts of stuff you either
don't need, or don't understand.  Both are "dangerous" from a security
standpoint.  Only install services and things you need or are willing to
spend some time configuring correctly.  

> Just kicking around some ideas...thought I would share them with the
> group.

T'is what it's all about! :)

-- 
Nate Duehr <nate at natetech.com>

GPG Key fingerprint = DCAF 2B9D CC9B 96FA 7A6D AAF4 2D61 77C5 7ECE C1D2
Public Key available upon request, or at wwwkeys.pgp.net and others.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20000215/c5950a9f/attachment.pgp>