On Wed, Sep 24, 2003 at 01:59:16PM -0500, Ryan Underwood wrote: > > Is there any effort to reduce the number of services running on a > > default debian install? For example: a typical workstation user doesn't > > really need to have inetd enabled, nor portmap (unless they are running > > fam or nfs -- which isn't enabled by default) > > What about a package like the harden-* package, but one that conflicts > with packages that are pointless for a client/desktop system?
Unless such a package is part of the standard installation, it's really of no use. The original poster specifically mentioned the "default debian install". Personally, I think we really do need to reduce the number of open ports by default. Even Redhat has learned to do this, and Microsoft is quickly learning (the hard way, of course). It's quickly becoming best practice for operating system vendors. For starters, I think portmap, rpc.statd, and inetd should not run by default. Not running a mail server (or perhaps only running one on the loopback interface) would be nice, too. Users that need these services know it. Users that don't shouldn't be bothered by them, whether that be to turn them off or to get compromised due to some newly discovered vulnerability. noah
pgppZCtSNFhN7.pgp
Description: PGP signature
