*BSD News Article 62979


Return to BSD News archive

Newsgroups: comp.unix.bsd.freebsd.misc
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.mel.connect.com.au!munnari.OZ.AU!news.ecn.uoknor.edu!paladin.american.edu!gatech!newsfeed.internetmci.com!in1.uu.net!news2.new-york.net!bet
From: bet@ritz.mordor.com (Bennett Todd)
Subject: Re: IMPORTANT PPP SECURITY ISSUE
X-Newsreader: slrn (0.8.6.1)
X-Nntp-Posting-User: bet
Message-ID: <slrn4k0gn6.m4h.bet@ritz.mordor.com>
References: <4hkast$4u7@ns.hcsc.com> <4hnfpg$2rh@orca.osg.gov.bc.ca>
X-Trace: 826295014/12049
X-Nntp-Posting-Host: ritz.mordor.com
Date: Fri, 8 Mar 1996 14:23:36 GMT
Lines: 21

When folks set up a PPP link, one of two circumstances applies: either they're
setting up a server, or they aren't:-). Now if you are actually setting up a
server, then yes, you do need to properly secure it, and that's a protracted
and tricky job. But if you aren't setting up a server, it's easy to be sucure;
just don't enable arbitrary services. For example:

	- don't make your system an NFS server (don't have an /etc/exports
	  file)

	- don't allow any incoming login-type connections; eyeball the
	  contents of inetd.conf; you probably don't need anything there, in
	  which case disable inetd. If you do need some service out of there
	  then disable everything except what you do need

	- check what daemons you actually have to run. If you aren't going
	  to have a permanent connection, then you probably don't need to be
	  running sendmail as a daemon, for example. Don't run NIS (nee YP).
	  If you can get away with it, don't run portmapper.

-Bennett