Redhat keeps getting easier and easier to install. That's great! There's only one problem - lots of naive users are installing Redhat without really understanding what /etc/inetd.conf is, much less what a daemon started at boot time means. Linux users inside my organization are getting a lot of flack as vulnerabilities in imapd and named are being exploited and the network as a whole is being compromised. The irony is that most of the Linux machines here do not even need to be running imapd or named and their installers have no idea these programs are running. Redhat just started them up by default. The "right" solution to this is for everyone to install security updates, and for Linux machine owners to learn enough to configure their boxes. Sadly, in practice that's hard to make happen. So I ask that Redhat consider cutting down the number of services that are turned on by a default install. Go ahead and install imapd, but leave it commented out in inetd.conf. Don't start named in /etc/rc.d. That way, a default install will be considerably more secure. There's obviously a trade-off here, you want Redhat to be cool and super-functional for a default install. Some services obviously should be on by default. But I think Redhat has gone too far with the default, and the result is a lot of security problems. If you'd like, I can send you a list of the services I think should be on by default. Thank you, Nelson
I understand where you are coming from on this one but unfortunately its a two sided argument. In our newest version 5.2, we have a workstation install scenario that does not install alot of the server related apps so therefore the entries in inetd.conf that pertain to those packages would not be functional anyway. Also there is always the option of just choosing to not have the inetd service start at all on workstations during the install. The point is that more education of the users is needed rather than shipping these turned off by default. We are working on making the manual that ships with Red Hat to better explain these issues.
Thanks for your repsonse. We understand each other, but disagree. I really don't think more documentation will solve the problem. Users don't read manuals. Again, I strongly urge you to make the default be more secure, by keeping services off by default. If a user reads the manual, then they can learn how to turn the services on.
I agree with Nelson... Who is more likely to read the manual? Users installing Linux for their own personal workstation or system administrators installing Linux for their organization's Internet server? Hopefully the sysadmin, if anybody. Services should be disabled by default and enabled by the sysadmin manually. Linux needs to take over the desktop market, but not have crackers take over the Linux desktops. ;-)
Hooray! Redhat 6.2 has finally changed the policy, looks like most services are off by default.