From: sl@9front.org
To: 9front@9front.org
Subject: Re: [9front] proposal: disable most of /rc/bin/services/tcp* by default
Date: Thu, 21 May 2015 12:27:34 -0400 [thread overview]
Message-ID: <fe6dd39be3601c81d8bde42b4dc41f76@u2.inri> (raw)
> I was not suggesting to not remove these standard services in the default
> configuration. I wanted to understand what the [security] gain is here,
> and if removing these service scripts wouldnt make things worse.
Okay.
> This is a cpu server, there will be at least *one* service listening (cpu).
> If your intend is to waste system resources, then you can as well use the
> cpu service for that, it makes no difference what port you use.
True.
Here is another aspect to consider:
What are the ramifications of each open port that is:
- not configured
- misconfigured
in all possible combinations of file systems (nobody even responded
to my post about user none being treated differently by cwfs and hjfs),
auth configurations, single-user, and multi-user systems?
Can anyone even say they've attempted to examine this?
My contention is that simple is better. You don't have to ask
questions about a service that is not provided. There should
be a justification for each service provided.
Why are these ports open?
> There are no priviledged ports. Any user can listen on any port as long
> as it is not in use already. Say, none starting to listen on dns/tcp port
> because someone forgot to rename the listener for that after setting up
> dns service. This can have consequences far worse as it could then poison
> dns caches and redirect all traffic to some other machine.
That's a good point. But it opens up the question of dangerous
ports that we currently *do not* have open by default. Based on
this line of thought, how do we protect those ports, and why is
(say) tcp port 53 more important to defend than (say) tcp port 80?
What if a user sets up a malicious socks proxy?
I have to leave for work now so I don't have time to repeat this
question for all 65,535 possible ports. But it seems unlikely
that we're going to create dummy scripts for tcp1 through tcp65535.
sl
next reply other threads:[~2015-05-21 16:27 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-21 16:27 sl [this message]
2015-05-21 18:08 ` Devon H. O'Dell
2015-05-21 19:24 ` cinap_lenrek
-- strict thread matches above, loose matches on Subject: below --
2015-05-21 19:29 sl
2015-05-21 19:38 ` cinap_lenrek
2015-05-21 18:01 sl
2015-05-21 18:06 ` Kurt H Maier
2015-05-21 16:15 sl
2015-05-20 22:51 sl
2015-05-21 9:20 ` cinap_lenrek
2015-05-20 18:46 sl
2015-05-21 9:18 ` cinap_lenrek
2015-05-20 18:16 sl
2015-05-20 18:32 ` [9front] " cinap_lenrek
2015-05-20 18:36 ` Kurt H Maier
2015-05-20 20:10 ` mischief
2015-05-20 20:34 ` cinap_lenrek
2015-05-20 22:46 ` Kurt H Maier
2015-05-21 9:19 ` cinap_lenrek
2015-05-21 11:05 ` arisawa
2015-05-20 17:07 sl
2015-05-20 17:01 sl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fe6dd39be3601c81d8bde42b4dc41f76@u2.inri \
--to=sl@9front.org \
--cc=9front@9front.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).