.comment: Service Security -- Where Is It? - page 2
Linux distributors, I think, do not for the most part believe that they are producing a desktop operating system. Why they ship KDE and Gnome and StarOffice and other desktop niceties is a mystery, but my sense is that they haven't really thought things through. Many offer "package plans" at installation, in which the user chooses from among several categories of use to which the installation will be put: Minimal (good for nothing or next to it), Workstation (what's that?), Home or Small Office, Development, All Packages. The services that are to be run by default are either poorly explained or not explained at all. The mystified user, especially the newbie, has no idea what to do, which contributes to the large number of early reinstallations. If there's a distribution that lists the packages and services that go in with each installation choice, I've not seen it--in fact, the trend is away from providing a listing at all of the packages available, never mind the services. Okay, it's easy to fetch a tarball off the Web someplace even if you find out later that you had it on the CD all along. But it's just not right to install security holes and not bother to mention it.
Chances are that your distribution has some sort of initialization manager, that lets you add or remove services. Fire that sucker up and take a look. Check out the help file for its explanation of those services. Do you get the impression that it was written by someone who wanted to get it finished before making an increasingly urgent trip to the bathroom?
And the solution is so simple: Run by default only the services necessary to tend to the basic system. Let the user turn on others as needed.
This is the right answer not just for desktop users, workstation users, whatever that is, and business users, even those running Web sites. It's astonishing the number of sites where you can type in "ftp" instead of "http" and gain access to the store. Might it be that someone who actually has to turn the thing on to begin with might also take a look at what it involves and what security risks there are? Whatever the likelihood, it's greater than it is for the user who has to do nothing and who never gets the first iota of understanding of how the system works. I'm not talking deep communications theory here, but a simple knowledge of the implications of running a particular service. The person who has to enable it is going to know something more than the person who doesn't. Such as that it's running.
As to the "ebusiness" that might be
inconvenienced: C'mon. You think the CEO went out and bought a copy of Linux
and installed it himself, then set up the company Web site, and is now
confounded by the fact that Apache isn't working? Of course not. He's hired
somebody to do it for the company, and if that person is incompetent to add a
/etc/inetd.conf, then that person ought to be doing
something else for a living, in that it typically involves the deletion of a
single character. That person is going to be the company hero if through his or
her efforts the company fends off a crack attempt--even if those efforts
involve resisting the temptation to delete characters on other lines.
Linux has been remarkably free of bigtime attacks (as far as we know), though I believe that some Linux machines have been unwittingly involved in distributed denial-of-service attacks--which they couldn't have been, at least in some cases, but for improperly secured ports, which is to say services that were available to the world and shouldn't have been.
How often does someone across the web use your printer? Not often? What a surprise. Do you even know what NetBIOS is for in Linux? No? Why, then, do you have it running? Did you know that you do? When was the last time you used Appletalk, which fires up by default in at least one popular distribution?
See what I mean?