On Mon, Oct 21, 2002 at 12:34:53AM -0000, soso@private wrote: > I am blown away by the high level of security in the standard Openwall 1.0 > install - Amazing job to all concerned! Thanks. > I have a couple of comments and > questions, though. First, I had to `echo 1 > > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts`. Is there a reason this > isn't done by default in order to discourage the use of Openwall boxes for > icmp DDoS attacks? No, no special reason. I've added it to my TODO and will hopefully do soon (it's trivial, but needs to be documented in sysctl.conf comments properly). This is not the only default sysctl setting that we could want to change. I am still unsure for SYN cookies, but we'll probably turn them on despite the very small added risk of bypassing certain packet filter setups with it (there's no longer a need to send a SYN if one manages to guess the sequence number for the SYN/ACK packet). > Secondly, I had to disable ctrl-alt-del reboots. > Though this is more of a "personal choice" issue, it seems that allowing > anyone who can get their hands on the keyboard to reboot the machine > (possibly with a nasty floppy or cdrom in the drive) is insecure. It doesn't make much sense to change default for just the console reboots. It would only make sense if we also provide a restrictive default boot loader configuration (otherwise there's always "init=/bin/sh" and other tricks) and tell the user to possibly secure their BIOS/firmware setup. But even then, letting people with physical access request a reboot is generally just a convenience. Such that they don't have to do it by hardware means. > And finally, it would be nice if `wipe` or some other secure deletion > program were included in the distro :). There's shred(1). We even used to patch its man page to document possible cases when it fails to work, before that piece got into the official man page of a newer version (which we've since updated to). > Thanks for putting together such a squeaky-clean distro. Now I can sleep > well at night... You're welcome. -- /sd
This archive was generated by hypermail 2.1.3 : Sun Jan 15 2006 - 13:43:17 PST