Debian secure by default?

Hi.

Why is Debian not setup to be secure be default?

Not everyone is a security expert so imho the system should be fully
secured out-of-the-box.

Best regards.

Rico.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Fri, May 16, 2008 at 7:41 PM, Rico Secada <coolzone@...> wrote:
> Hi.
>
> Why is Debian not setup to be secure be default?
>
> Not everyone is a security expert so imho the system should be fully
> secured out-of-the-box.

So, do you have something worthwhile to say or is this just a case of
"the bull elephant trumpeting to the herd"?

--
Chris


--
To UNSUBSCRIBE, email to debian-user-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Rico Secada wrote:
> Hi.
>
> Why is Debian not setup to be secure be default?
>
> Not everyone is a security expert so imho the system should be fully
> secured out-of-the-box.

Please elaborate on what you consider to be the insecure parts of a
default installation. Describe a process by which an etch system can be
compromised remotely. Obviously, the ability to become root by tweaking
the boot parameters from the grub screen does not count as a vulnerability.


--
Raj Kiran Grandhi
--
Politics is for the moment. An equation is for eternity.
                                        -- Albert Einstein


--
To UNSUBSCRIBE, email to debian-user-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Sat, 2008-05-17 at 06:42 +0530, Raj Kiran Grandhi wrote:  My 2 cents a default firewall would be nice

 LostSon


--
To UNSUBSCRIBE, email to debian-user-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Friday 16 May 2008 07:01:38 pm lostson wrote: You mean like Windows has?  How about not.  Here's why:
http://samspade.org/d/firewalls.html

--
Paul Johnson
baloo@...

Explaination of .pgp part: http://linuxmafia.com/faq/Mail/rant-gpg.html

On Friday 16 May 2008 07:02:59 pm Paul Johnson wrote:
> On Friday 16 May 2008 07:01:38 pm lostson wrote:
> >
> >  My 2 cents a default firewall would be nice
>
> You mean like Windows has?  How about not.  Here's why:
> http://samspade.org/d/firewalls.html
The money quote from that link:
"So... what does a 'personal firewall' actually do? Well, effectively it
listens on all the ports on your system. This provides no real additional
security over turning off the services that you don't use."

The nature and purpose of a "firewall" seems to be greatly misunderstood.
Personally, I think security vendor hype is as much to blame as naivete.

Lee


--
To UNSUBSCRIBE, email to debian-user-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Fri, 2008-05-16 at 19:09 -0700, Lee Glidewell wrote:  So basically a firewall is useless ?

 LostSon


--
To UNSUBSCRIBE, email to debian-user-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Fri May 16 2008 19:39:27 lostson wrote:
A firewall does not listen on any ports.  (There may be windows products
which are sold as firewalls and which listen on all ports but they are not
actually firewalls.)

The main function of a firewall is to limit access to open ports.  If you
have no open ports the firewall is not limiting access.  Some argue from
this that since a firewall appears to be superfluous, and since a firewall
is additional software and carries the possibility of additional security
bugs, that a personal firewall is worse than useless.  However there are
two additional points to consider.

1) A firewall can block access to ports that are open that you don't know
   are open.  For example, ports opened by malware.

2) A firewall, if very carefully configured, can block unwanted outgoing
   traffic.  For example, a firewall might prevent malware from emailing
   your email contacts and credit card details to a cracker.  However this
   is not easy.

Both of these considerations currently apply much more to infection-prone
Windows than Linux.

Personally, I use few firewalls these days on Linux boxes, and when I do
it is usually for some special effect related to VPNs rather than a
classical firewall limiting access to open ports.  However I use a lot
of firewalls in routers, particularly to make it harder for malware to
send spam and to reduce the spread of malware infections between Windows
boxen.

In a standard Debian workstation with no services listening you really
don't need a firewall today.  This may change if Linux in the future
should suffer from malware like Windows does today.  Linux is just as
susceptible as Windows to a trojan that tricks people into running a
program that mails out all their email contacts, or all strings that
match a credit card number regex.

If you start a service - Apache or FTP or anything else - then you are
responsible for securing it, whether by passwords or certificates or
firewalls or otherwise.  It's easy to start a service.  It's not easy
to secure a service.  Don't start a service until you know how to secure
it, no matter how easy is.  This applies to all OS's.

--Mike Bird


--
To UNSUBSCRIBE, email to debian-user-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Friday 16 May 2008 07:39:27 pm lostson wrote:
Well, no, I wouldn't go that far. I would say, however, that a generic,
all-purpose software firewall isn't going improve Debian's "out of the box"
security.

If you know what you're doing, on the other hand, packet filtering software is
incredibly useful. The point about the hardware firewalls boils down to two
facts:
1) If you're serious about security, you should separate services. This means
giving iptables its own box (e.g., a retail NAT router) rather than assigning
a workstation to double-duty.
2) If you don't want to set up your own filtering rules, a retail NAT router
is a better solution than an iptables configuration utility.

The bottom line, IMO, is that a "firewall" is only a set of rules. How useful
it is can only be judged in light of the specific function of the computer
it's protecting.

Lee


--
To UNSUBSCRIBE, email to debian-user-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Fri, 16 May 2008 19:47:10 -0500
"Christofer C. Bell" <christofer.c.bell@...> wrote:

I hope not.. no.




--
To UNSUBSCRIBE, email to debian-user-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Sat, 17 May 2008 06:42:57 +0530
Raj Kiran Grandhi <grajkiran@...> wrote:

All I am saying is that it shouldn't be needed to harden anything.

http://www.debian.org/doc/manuals/securing-debian-howto/



--
To UNSUBSCRIBE, email to debian-user-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Fri, 16 May 2008 19:47:10 -0500
"Christofer C. Bell" <christofer.c.bell@...> wrote:

https://alioth.debian.org/projects/d-sbd/



--
To UNSUBSCRIBE, email to debian-user-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On Sat, 17 May 2008 06:42:57 +0530
Raj Kiran Grandhi <grajkiran@...> wrote:

I am not saying that Debian isn't secure per say, but things like
removing SUID and SGID from files where they generally aren't needed as
default imho is better. If someone needs SUID then he has to set it.

Locating what files that it is generally safe to remove SUID and SGID
from isn't that easy.



--
To UNSUBSCRIBE, email to debian-user-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Rico Secada wrote: Please consider the following about security

 1. it's about risk management, not everybody has the same opinion about
what security is worth, basically there is no one-size-fits-all when it
comes to security
 2. securing a system is a process, meaning that it's something ongoing
not something that one does once and then is done with
 3. often security and usability are opposed (but not always), it's
possible to argue that server packages (e.g. SSH or lighttpd) are
installed they shouldn't be enabled, after all it might be a mistake by
the administrator to install it and disabled-by-default is more secure
than the opposite

So, while considering this, what concrete things would you suggest is
done by default on a new Debian system?

/M

--
Magnus Therning                             (OpenPGP: 0xAB4DFBA4)
magnus＠therning．org             Jabber: magnus．therning＠gmail．com
http://therning.org/magnus

What if I don't want to obey the laws? Do they throw me in jail with
the other bad monads?
     -- Daveman

On Fri, May 16, 2008 at 08:54:27PM -0700, Lee Glidewell wrote:
While this is probably correct it is not how most nontechnical users
perceive it. This has to do a lot with marketing, I guess. When
Windows add (in this case) firewall to OS it advertise it loudly
and users are persuaded that now it is more safe (whether it is true
or not). And so most users assume that this apply to other OS as well.

And this is in my opinion one area where Window and Linux differ.
MS is aware of power the marketing is able to provide
_and has means_ (read finance) to use it extensively. To remedy
this (with assets that Linux community has) it is needed to educate users.
And this is what you are doing here. Thanks for great job.

But it is needed to be realized that most users do not really
care (because they do not really know) about details involved. So
we must be not surprised when other user ask similar question,
and more of when this happens often. Just be patient and explain
it every time or go easy and (in this case) make firewall
configured by default however inappropriate it may be.

Just my random thoughts. Be welcomed to disagree.
Misko


--
To UNSUBSCRIBE, email to debian-user-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

On 2008-05-17 11:32 +0200, Rico Secada wrote:

> I am not saying that Debian isn't secure per say, but things like
> removing SUID and SGID from files where they generally aren't needed as
> default imho is better. If someone needs SUID then he has to set it.

That is already mandated by Debian policy, though not always
implemented.  If you spot an instance of a program being set suid or
sgid unnecessarily, please file a bug report (after checking that it had
not been reported already).

In general, such problems are taken very seriously.  For instance, the
xfs font server got removed from testing because it unnecessarily runs
as root, see bug #50859.

Sven


--
To UNSUBSCRIBE, email to debian-user-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/17/08 03:51, Rico Secada wrote:
A couple of missing words inhibits the ability to really understand
what that project tried to do.  Besides, it's 4.5yo and dormant.

If what you want is uber-security, there really is nothing to stop
you from running OpenBSD.

- --
Ron Johnson, Jr.
Jefferson LA  USA

ESPN makes baseball players better.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFILuBbS9HxQb37XmcRAk2aAJ4wf/SCeOUE8WyVFwOW0rxD5xVu3gCgwMsf
Ml77wxpnWnfkXkahvHLjM7k=
=bga4
-----END PGP SIGNATURE-----


--
To UNSUBSCRIBE, email to debian-user-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact listmaster@...

Ron Johnson wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/17/08 03:51, Rico Secada wrote:
  

On Fri, 16 May 2008 19:47:10 -0500
"Christofer C. Bell" christofer.c.bell@... wrote:

    

On Fri, May 16, 2008 at 7:41 PM, Rico Secada coolzone@... wrote:
      

Hi.

Why is Debian not setup to be secure be default?

Not everyone is a security expert so imho the system should be fully
secured out-of-the-box.
        

So, do you have something worthwhile to say or is this just a case of
"the bull elephant trumpeting to the herd"?
      

https://alioth.debian.org/projects/d-sbd/
    

A couple of missing words inhibits the ability to really understand
what that project tried to do.  Besides, it's 4.5yo and dormant.

If what you want is uber-security, there really is nothing to stop
you from running OpenBSD.

- --
Ron Johnson, Jr.
Jefferson LA  USA

  

Good call Ron. I opted for OBSD as my soho LAN firewall - sits in the corner, does it's thing and has been running with an exceptional uptime aside from deliberate power downs. A real workhorse. The knack was setting up the PF rules, but that's another story!! ;-)

A

-