Security Innovation's Microsoft/Linux web server security study

Posted Mar 23, 2005 19:17 UTC (Wed) by jwb (guest, #15467) [Link]

That's a great list, Don. Why can't we get default installs that meet all these criteria? I just installed Debian on a bunch of old PCs for compute nodes, so allow me to run down your list with a fresh perspective:

1: whatever
2: Debian's exim seems to almost never get configured properly. My error perhaps, but I find the dialog confusing. Of four hosts I installed yesterday, 2 had working admin mail, 2 did not. The exim3->exim4 dist-upgrade seems to work poorly.
3: syslogd, klogd, exim4, inetd, cron, getty. Pretty good.
4: Debian's exim default listens to loopback only.
5: daytime and time are both enabled in the default inetd.conf, needlessly.
6: apt-get, no problems.
7: Debian doesn't install ntp nor ntpdate in the base. It should.
8: Debian doesn't install ssh by default.
9: Inetd is needlessly listening on three ports.
10: good idea :)
11: no default iptables rules in Debian, and also discards your firewall rules every time you reboot.

So it seems that at least Debian has a long way to go before the default install is ideal and perfect. I would add one thing to your list, and that is: the administrator's ssh private key should really be on a smart card. SSH supports generation of the key on-card, and uses the key to establish the connection, so the private key is never in core or on disk of any computer. Alas, Debian's ssh does not support smartcards. If you want this functionality you need to rebuild the package locally.

What does all this have to do with the original article? Well not much I guess. As we all know you are pretty well screwed when installing a Windows machine, and frankly I fail to see how a mysql bug is a Linux problem. Do not people use mysql on Windows, as well?