* proposal: disable most of /rc/bin/services/tcp* by default
@ 2015-05-20 18:16 sl
2015-05-20 18:32 ` [9front] " cinap_lenrek
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: sl @ 2015-05-20 18:16 UTC (permalink / raw)
To: 9front
Why are so many services enabled by default?
I propose to disable the following in the default install by moving
them from tcp* to !tcp*. Functionality can be enabled by simply
copying !tcp* back to tcp* (and following whatever other procedures
were already required).
Let's turn these off:
tcp110 # pop3
tcp143 # imap
tcp21 # ftp
tcp23 # telnet
tcp25 # smtp
tcp53 # dns
tcp513 # rlogind
tcp993 # imap over tls
tcp995 # pop3 over tls
In addition: Items that are left enabled by default (and really, even
the ones disabled by default) should be checked to ensure that the
installer creates the log files they attempt to write to.
I volunteer to do this if no one objects.
sl
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [9front] proposal: disable most of /rc/bin/services/tcp* by default
2015-05-20 18:16 proposal: disable most of /rc/bin/services/tcp* by default sl
@ 2015-05-20 18:32 ` cinap_lenrek
2015-05-20 18:36 ` Kurt H Maier
2015-05-20 20:10 ` mischief
2015-05-21 11:05 ` arisawa
2 siblings, 1 reply; 8+ messages in thread
From: cinap_lenrek @ 2015-05-20 18:32 UTC (permalink / raw)
To: 9front
tricky todo as /rc/bin/service is tracked by hg. so when you do this,
you will shoot down services from the net as they run sysupdate.
all these services require authentication (except dns), and they
run as none initially. tho i see your point, this is not 1995.
--
cinap
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [9front] proposal: disable most of /rc/bin/services/tcp* by default
2015-05-20 18:32 ` [9front] " cinap_lenrek
@ 2015-05-20 18:36 ` Kurt H Maier
0 siblings, 0 replies; 8+ messages in thread
From: Kurt H Maier @ 2015-05-20 18:36 UTC (permalink / raw)
To: 9front
Quoting cinap_lenrek@felloff.net:
> tricky todo as /rc/bin/service is tracked by hg. so when you do this,
> you will shoot down services from the net as they run sysupdate.
Perhaps the files in /rc/bin/service can be renamed/disabled as part of
the installer? That wouldn't nuke existing installs, but would provide
sane defaults going forward.
khm
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [9front] proposal: disable most of /rc/bin/services/tcp* by default
2015-05-20 18:16 proposal: disable most of /rc/bin/services/tcp* by default sl
2015-05-20 18:32 ` [9front] " cinap_lenrek
@ 2015-05-20 20:10 ` mischief
2015-05-20 20:34 ` cinap_lenrek
2015-05-21 11:05 ` arisawa
2 siblings, 1 reply; 8+ messages in thread
From: mischief @ 2015-05-20 20:10 UTC (permalink / raw)
To: 9front, sl
[-- Attachment #1: Type: text/plain, Size: 916 bytes --]
I am in favor of this and also putting the service directory in .hgignore. Creation of log files would be nice too.
On May 20, 2015 11:16:35 AM PDT, sl@9front.org wrote:
>Why are so many services enabled by default?
>
>I propose to disable the following in the default install by moving
>them from tcp* to !tcp*. Functionality can be enabled by simply
>copying !tcp* back to tcp* (and following whatever other procedures
>were already required).
>
>Let's turn these off:
>
> tcp110 # pop3
> tcp143 # imap
> tcp21 # ftp
> tcp23 # telnet
> tcp25 # smtp
> tcp53 # dns
> tcp513 # rlogind
> tcp993 # imap over tls
> tcp995 # pop3 over tls
>
>In addition: Items that are left enabled by default (and really, even
>the ones disabled by default) should be checked to ensure that the
>installer creates the log files they attempt to write to.
>
>I volunteer to do this if no one objects.
>
>sl
[-- Attachment #2: Type: text/html, Size: 1242 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [9front] proposal: disable most of /rc/bin/services/tcp* by default
2015-05-20 20:10 ` mischief
@ 2015-05-20 20:34 ` cinap_lenrek
2015-05-20 22:46 ` Kurt H Maier
0 siblings, 1 reply; 8+ messages in thread
From: cinap_lenrek @ 2015-05-20 20:34 UTC (permalink / raw)
To: 9front
i'm not against this, but what exactly is the problem? its not like
these services are usable unless you have an actual account on the
auth server (and created a mailbox for the user in case of imap/pop3).
this is not like unix where services run as "root" and then impersonate
some user on the system, but they start as "none" and cant do anything
(even if there are bugs) unless the user authenticates.
if you have an account, then you can as well cpu in and run commands.
what we really want is a authorization scheme that would allow us to
grant a user the services he can use on the system. right now its
a all or nothing. if you have an account you can use every service
in the network.
--
cinap
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [9front] proposal: disable most of /rc/bin/services/tcp* by default
2015-05-20 20:34 ` cinap_lenrek
@ 2015-05-20 22:46 ` Kurt H Maier
2015-05-21 9:19 ` cinap_lenrek
0 siblings, 1 reply; 8+ messages in thread
From: Kurt H Maier @ 2015-05-20 22:46 UTC (permalink / raw)
To: 9front
Quoting cinap_lenrek@felloff.net:
> i'm not against this, but what exactly is the problem?
Open ports attract automated attacks. Even if they don't work,
bandwidth costs money.
khm
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [9front] proposal: disable most of /rc/bin/services/tcp* by default
2015-05-20 22:46 ` Kurt H Maier
@ 2015-05-21 9:19 ` cinap_lenrek
0 siblings, 0 replies; 8+ messages in thread
From: cinap_lenrek @ 2015-05-21 9:19 UTC (permalink / raw)
To: 9front
ok, that makes sense.
--
cinap
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [9front] proposal: disable most of /rc/bin/services/tcp* by default
2015-05-20 18:16 proposal: disable most of /rc/bin/services/tcp* by default sl
2015-05-20 18:32 ` [9front] " cinap_lenrek
2015-05-20 20:10 ` mischief
@ 2015-05-21 11:05 ` arisawa
2 siblings, 0 replies; 8+ messages in thread
From: arisawa @ 2015-05-21 11:05 UTC (permalink / raw)
To: 9front
Hello 9front users,
currently I don’t use /rc/bin/service/* at all.
I think services are different among servers.
how do you resolve this problem?
Kenji Arisawa
> 2015/05/21 3:16、sl@9front.org のメール:
>
> Why are so many services enabled by default?
>
> I propose to disable the following in the default install by moving
> them from tcp* to !tcp*. Functionality can be enabled by simply
> copying !tcp* back to tcp* (and following whatever other procedures
> were already required).
>
> Let's turn these off:
>
> tcp110 # pop3
> tcp143 # imap
> tcp21 # ftp
> tcp23 # telnet
> tcp25 # smtp
> tcp53 # dns
> tcp513 # rlogind
> tcp993 # imap over tls
> tcp995 # pop3 over tls
>
> In addition: Items that are left enabled by default (and really, even
> the ones disabled by default) should be checked to ensure that the
> installer creates the log files they attempt to write to.
>
> I volunteer to do this if no one objects.
>
> sl
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2015-05-21 11:05 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-20 18:16 proposal: disable most of /rc/bin/services/tcp* by default sl
2015-05-20 18:32 ` [9front] " cinap_lenrek
2015-05-20 18:36 ` Kurt H Maier
2015-05-20 20:10 ` mischief
2015-05-20 20:34 ` cinap_lenrek
2015-05-20 22:46 ` Kurt H Maier
2015-05-21 9:19 ` cinap_lenrek
2015-05-21 11:05 ` arisawa
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).