Back to article
.comment: Service Security -- Where Is It?
July 19, 2000
I have a bone to pick with most, maybe all, Linux distributors: Why in the world do they ship such security nightmares?
To their credit, many stay on top of security issues, sending urgent messages to registered users and mailing list subscribers when a potential security exploit is found in a particular package, along with workarounds, updated packages, or both. But the way that a lot of distributions install by default, this is a lot like putting locking lug nuts on the wheels while leaving the doors unlocked and the key in the ignition.
If you're running Linux and you have a technically savvy friend, have that friend do a port scan of your machine sometime and send you the results. You will be startled and probably confused. Unless you've engaged in the wholesale turning off of services, your machine is more than likely wide open to script kiddies and, potentially worse, people who really know what they're doing. The script kiddies are vandals. There are real criminals out there, who steal stuff.
Linux is fundamentally a pretty secure system. Why should distributors make it less so?
Documentation? Yeah, Right
Well, no. You can get email just fine in most cases and can download all the files you want from ftp sites without either of those services running. Those services are not so you can engage in the activities related to them--they're so your machine can be a server. Until fairly recently, sendmail allowed mail relays by default. What does this mean? A spammer could send mail through your system. In the manner of many spammers, the email addresses might well have been made up, generated at random, the idea being that a certain percentage of them would get through. The rest, the vast majority, would bounce. Where would those bounced messages go? To you, and buried within them someplace would be the note from your ISP about how your account was being canceled because you're a spammer. Nice, huh? If you aren't a mail server, it's a nonissue.
Chances are you're not an ftp site. Why have that door open?
The list goes on and on.
Now. Go to the documentation that came with your distribution and try to find the listing of services that are enabled by default. When you don't find it, you'll also not find an explanation of what they are for and the circumstances under which you might happily turn them off. You'll be lucky to find documentation on how to turn them off at all.
It's an outrage but more than that, it demonstrates that distributors have it backwards.