-------- Forwarded Message -------- From: Lindsay Druett <lindsay(a)wired.net.nz> Reply-To: lindsay(a)wired.net.nz To: Bruce Kingsbury <zcat(a)wired.net.nz> Subject: Re: [wlug] Linux the cause of Ebay phishing... Date: Tue, 09 Oct 2007 20:05:28 +1300 And going to the Linux front.... Redhat server is a baddie... I had to sort out a Linux server last week for a rather large customer. In the /etc/rc(whatever).D they had everything under the sun *and* the moon. Would you believe, they had /etc/init.d/ipchains start and /etc/init.d/iptables start together... Going to my ITS days... Slackware was the ITS standard distro when I was working for Uni, and the big concern was security (no wonder). The BOFH had done a crack down on ITS security when I was there, and believe or not, my work desktop got the rubber stamp. It wasn't running Slackware, and if it ran slackware, it would have failed miserably, but it ran SuSe desktop of all things... Oh yeah... || to your distro Denise... On Tue, 2007-10-09 at 19:26 +1300, Bruce Kingsbury wrote:

...

Linux OTOH can be set up so, for example, the MySQL database could only be accessed via 127.0.0.1 if it was only for the local webserver, or opened up only to the hosts that need to access the database server.

Windows can be set up the same way, it just typically isn't.

Many linux distros (particularly the ones intended for desktop users) have a policy of 'no open ports' and a lot of software like MySQL is similarly preconfigured to only listen to localhost. My experience with Windows, all sorts of completely unnecessary things end up listening on all interfaces, simply because on the chance that you happen to need those services, they'll already be installed and accessable. Hello slammer! That's great from an 'everything just works' perspective, perhaps.. but it's terrible from a security perspective.