Re: Question about Debian security policy
On Thu, Jun 30, 2005 at 10:15:28PM +0200, Jan Lühr wrote: > > I think you'll find OpenBSD launches at least sshd and sendmail > > in the default install (although sendmail only listens on > > loopback interface by default). I've always wondered about > > portmap in debian myself - I presume it's to do with NFS. Perhaps > > it has to be part of the base system to support network installs. > > When I last installed OpenBSD I was asked on whether I want so use ssh. It > doesn't start automatically. AFAIR our ssh package asks if it has to be started. regards fEnIo -- ,''`. Bartosz Fenski | mailto:[EMAIL PROTECTED] | pgp:0x13fefc40 | irc:fEnIo : :' : 32-050 Skawina - Glowackiego 3/15 - w. malopolskie - Poland `. `' phone:+48602383548 | proud Debian maintainer and user `- http://skawina.eu.org | jid:[EMAIL PROTECTED] | rlu:172001 signature.asc Description: Digital signature
Re: Question about Debian security policy
Greetings, Am Donnerstag, 30. Juni 2005 12:57 schrieb Paul Haesler: > > Hi everybody. I hope this question won't be too stupid. > > When I perform a standard installation (i.e minimal), the installer > > installs many servers, and launches them (like portmap, ssh, exim, > > etc). Why? I think that OpenBSD and FreeBSD, for example, don't launch > > any daemon at all, or at least prompt you before doing that. There > > must be a reason, but I don't see it (I'm not a networking/security > > guru, so please forgive me if the answer is obvious). > > I think you'll find OpenBSD launches at least sshd and sendmail > in the default install (although sendmail only listens on > loopback interface by default). I've always wondered about > portmap in debian myself - I presume it's to do with NFS. Perhaps > it has to be part of the base system to support network installs. When I last installed OpenBSD I was asked on whether I want so use ssh. It doesn't start automatically. Keep smiling yanosz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question about Debian security policy
> Hi everybody. I hope this question won't be too stupid. > When I perform a standard installation (i.e minimal), the installer > installs many servers, and launches them (like portmap, ssh, exim, > etc). Why? I think that OpenBSD and FreeBSD, for example, don't launch > any daemon at all, or at least prompt you before doing that. There > must be a reason, but I don't see it (I'm not a networking/security > guru, so please forgive me if the answer is obvious). I think you'll find OpenBSD launches at least sshd and sendmail in the default install (although sendmail only listens on loopback interface by default). I've always wondered about portmap in debian myself - I presume it's to do with NFS. Perhaps it has to be part of the base system to support network installs. -- Paul Haesler[EMAIL PROTECTED] Neutrons are wormholes. And if Blanca's dead clone was right, the Transmuters had all the degrees of freedom they could need to make Swift's neutrons unique. - Yatima, in Greg Egan's "Diaspora". -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Question about Debian security policy
Hi everybody. I hope this question won't be too stupid. When I perform a standard installation (i.e minimal), the installer installs many servers, and launches them (like portmap, ssh, exim, etc). Why? I think that OpenBSD and FreeBSD, for example, don't launch any daemon at all, or at least prompt you before doing that. There must be a reason, but I don't see it (I'm not a networking/security guru, so please forgive me if the answer is obvious). And I'd like to thank all Debian people: you're achieving an incredible work ;-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Question about Debian security policy
On Thu, Jun 30, 2005 at 11:16:18AM +0200, neologix wrote: > Hi everybody. I hope this question won't be too stupid. > When I perform a standard installation (i.e minimal), the installer installs > many servers, and launches them (like portmap, ssh, exim, etc). Why? > I think that OpenBSD and FreeBSD, for example, don't launch any daemon at all, > or at least prompt you before doing that. There must be a reason, but I don't > see it (I'm not a networking/security guru, so please forgive me if the answer > is obvious). It's not obvious, but it is docummented, please read: http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html#s3.6 and http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html Short answer: - exim - (important priority) required for local mail delivery, if you don't configure it to act as a MTA it will only be accesible through 127.0.0.1 (i.e it will not be exposed) - sshd - part of the 'standard' installation. If you don't want standard you need to do a minimal install (using the 'expert' mode) - portmap - standard, needed for some RPC services such as NFS (uncommon) or FAM (common in desktop environments). It can be easily configured to listen only for localhost queries to reduce exposure (check /etc/default/portmap, there is a debconf question to enable/disable in etch and sid). You can also prevent it from installing if using expert mode (i.e. if you don't install nfs-common either, which is also of 'standard' priority) That's more or less what you will have in a stock standard installation. If you use a minimal installation through expert mode you can end up with 0 network services, if you install some task you might end up with _more_ network services (printer service, FAM, web server, etc.). So what you have actually depends on your choices through the installation process. Regards Javier signature.asc Description: Digital signature