Re: Please enable firewalls by default on Linux distributions
From: Erik Aronesty (email@example.com)
From: firstname.lastname@example.org (Erik Aronesty) Date: 8 Mar 2003 07:34:53 -0800
You too can join class action contributory negligence lawsuits for fun
Hving default security settings for software is like having seat-belts
in cars or safetys on guns. It was the cost - not the technology -
that kept them from being installed until it became a crisis.
Plus, safe guns and cars aren't as cool as unsafe ones.
I can't imagine that that's the case for Linux.
Most of Linux comes with dozens of resource-limits turned on. Why?
To keep the O/S from being too easily compromised.
An unskilled user can't exceed the max-filehandles, or whatever, and
cause the O/S to crash. A skilled user can increase these limits and
"push" his machines performance-edge, etc.
Only the network comes with "allow everying" as the default
I imagine it was left out, not because it's a good idea to leave it
out, but just because no one thought if it.
John SMith <Jsmith@hotlink.com> wrote in message news:<3E694DBB.email@example.com>...
> Get real.
> It will likely not happen, also do not assume every install of a piece
> of technology is on the internet to get DOS attacks.
> Most non-windows O/S take the approach of making the system modular
> enough to unload or load whatever you need - just look at Linux
> /etc/rc.d, Cisco's show config, or Netware's autoexec.ncf.
> Any one configuring anything exposed to untrusted networks needs to RTFM
> and know what is going on under the hood. If not, DOS attacks will be
> the least of thier worries.
> Erik Aronesty wrote:
> > DDOS attacks are on the rise.
> > Most distributions of Linux ship with powerful firewalls that are
> > completely turned off when you install them, allowing the systems to
> > be easily used as staging areas for DDOS attacks.
> > Nearly every other piece of network software in the world has "default
> > settings" that contain restrictions on usage, except our most
> > important ones. For example: email servers come with rate filtering
> > defaults and are closed to relaying by default.
> > Router vendors should be selling products that are "default
> > restrictive", unless you are an advanced user who knows how to unlock
> > more powerful features - not the other way around.
> > Rather than begging 200 million clueless users to reconfigure their
> > OS'es and routers after installing them, we should simply call
> > attention to the security vulnerabilities inherent in the default
> > settings of the software.
> > Filters that are within the capabilities of the O/S and are reasonable
> > defaults for a majority of the users should be enabled by default.
> > At some point, failure to do this could even be seen as negligent on
> > the part of the vendors.
> > At the very least, egress filtering, syn flood prevention, basic port
> > filters should be enabled by default.
> > Any thoughts on how to get the consumer router vendors to do this?