Re: make gnome listen on localhost:*
- From: Sean Murphy <murphy erim-int com>
- To: gnome-list gnome org
- Subject: Re: make gnome listen on localhost:*
- Date: Thu, 15 Jun 2000 10:25:36 -0400
This is a really enjoyable discussion, unfortunately I don't know enough about the
subject to follow it completely. Can someone point me to a web page that I can
learn more about closing up all the holes? I am running a machine with the
standard RedHat 6.2 installation, which judging from this discussion is probably
wide open since I haven't done anything to shore it up.
Derek Simkowiak wrote:
> -> > > As Gnome becomes more popular on desktops with permanent network
> -> > > connections, you can be sure that this will become a popular breakin
> -> > > route.
> -> >
> -> > So unplug it from the network - there are plenty of other more interesting
> -> > network services to choose from if you want to break in.
>
> Maybe it's just me, but this statement seems incredibly dangerous
> and ignorant. I read that as "Why should we secure Orbit, there are
> plenty of other things people can use to break in." (?!)
>
> -> > Or install a firewall, or set up TCP Wrappers properly.
> ->
> -> The less technically minded will not know how to do this, or understand
> -> why they need to.
>
> I agree about the less technically minded folks. I think the
> Gnome target audience includes people from the I-Mac target audience.
> "Firewall? TCP? Wrappers? Install something? What does that mean?"
>
> -> to be serving up anything which I have not deliberately and explicitly
> -> turned on.
>
> Now if this small bit of common sense would only make it to the
> Linux distro management people...
>
> Every network service should be turned OFF by default. If you
> want to serve telnet, web, etc. then you should have to explicitly turn
> that crap on. Installing Apache (et. al) by default is cool; just don't
> turn it on by default!
>
> At least then you'll KNOW that you're opening a door to your
> system (and won't be left wondering why you were made vulnerable to a
> security exploit for a service you never even used).
>
> -> installation. It (and any other services) should be turned on only by
> -> people who understand what they are doing, and undertake to keep it up to
> -> date and secure.
>
> Oops... didn't realize that had already been said :)
>
> -> couple of years ago. This has lead to some colleges banning Linux
> -> machines from being connected to the network.
>
> Speaking as an administrator: As long as the popular Linux distros
> ship with network services enabled by default, banning those distros from
> your campus network is not a bad idea. The last thing an admin wants is a
> bunch of inexperienced newbies offering network services that they don't
> understand, can't configure, and won't maintain.
>
> Of course I love Linux, but the current state of "default"
> installations really bugs me.
>
> In regards to Orbit, I see it as Yet Another Unwarranted Service
> that will be turned on.
>
> Don't you think that, if I wanted to offer a CORBA object to
> other machines, I would know that I needed to explicitly turn on CORBA
> services? And if I have to turn it on, I'll know to upgrade it when a
> security patch comes out.
>
> -> that does not mean that it should be listening by default. The OpenSSH
> -> code went through the rigorous OpenBSD security procedures, but a fairly
>
> The SSH history is such a great example of why ports should be
> closed, unless they are explicitly needed.
>
> I read an email on one of the lists that said there was an Orbit
> configuration option (was it compile-time or run-time? Don't remember)
> that would use a local Unix socket (PF_UNIX) instead of a TCP/IP stream
> (PF_INET).
>
> Assuming that's true: for god's sake, make the default Unix
> sockets! How many Gnome users (experienced or otherwise) really need to
> export their CORBA objects to other computers?
>
> CORBA may make a great substitute for COM, but since Orbit is
> being used in Gnome for desktop applications (and not distributed
> computing problems) keeps those ports closed!
>
> </RANT>
>
> --Derek
>
> P.S.> I'm glad to hear about the audit...
>
> _______________________________________________
> gnome-list mailing list
> gnome-list@gnome.org
> http://mail.gnome.org/mailman/listinfo/gnome-list
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]