-------- Forwarded Message --------
From: Lindsay Druett <lindsay@wired.net.nz>
Reply-To: lindsay@wired.net.nz
To: Bruce Kingsbury <zcat@wired.net.nz>
Subject: Re: [wlug] Linux the cause of Ebay phishing...
Date: Tue, 09 Oct 2007 20:05:28 +1300

And going to the Linux front....
Redhat server is a baddie...
I had to sort out a Linux server last week for a rather large customer.
In the /etc/rc(whatever).D they had everything under the sun *and* the moon.
Would you believe, they had /etc/init.d/ipchains start and /etc/init.d/iptables start together...

Going to my ITS days...

Slackware was the ITS standard distro when I was working for Uni, and the big concern was security (no wonder).
The BOFH had done a crack down on ITS security when I was there, and believe or not, my work desktop got the rubber stamp.
It wasn't running Slackware, and if it ran slackware, it would have failed miserably, but it ran SuSe desktop of all things...

Oh yeah... || to your distro Denise...

On Tue, 2007-10-09 at 19:26 +1300, Bruce Kingsbury wrote: 
> Linux OTOH can be set up so, for example, the MySQL database could
> only be accessed via 127.0.0.1 if it was only for the local webserver,
> or opened up only to the hosts that need to access the database
> server. 

Windows can be set up the same way, it just typically isn't.

Many linux distros (particularly the ones intended for desktop users)
have a policy of 'no open ports' and a lot of software like MySQL is
similarly preconfigured to only listen to localhost. My experience with
Windows, all sorts of completely unnecessary things end up listening on
all interfaces, simply because on the chance that you happen to need
those services, they'll already be installed and accessable. Hello
slammer! That's great from an 'everything just works' perspective,
perhaps.. but it's terrible from a security perspective.