With RH9, sendmail was the default, and I am almost positive it was running by default. I forgot if FC1 had it going by default, but it seems like it was.

Out of curiosity, I'm gonna find out. Just e-mailed KDE Kmail maintainer that question.

KMail is not supposed to be run as root. (dnaber, 2002-11-13)
Many systems prohibit the access to the root mail account via pop3 protocol. Tip: If you want / have to read the mail of root let the mailsystem forward the mail to your user account by adding the file ~/.forward to root's home directory. The content of this file should be your email address. (Ferdinand Gassauer, 2001-03-20) http://kmail.kde.org/security.html There we are.

Sendmail is on by default, but it's configured to only send outgoing mail and transfer messages from localhost. The user has to edit the sendmail config in order to have it bound to an external IP and accept remote connections.

That must be a recent change then, because it certainly wasn't true when I installed it before. Oh well, at least they're learning.

Slowly but surely I guess. Hopefully they'll turn off some of the other crap like Portmapper and NFS in the default config as well. To be fair though, most of the other linux distros are just as bad as Redhat . The few exceptions would probably be hardened, security-oriented distros.

If I remember correctly, the lockdown to localhost was introduced in RH8.

Hey, congrats on 1k stickman!

Thanks. I didn't even notice.

Ok statement qualified: almost none

I know Slack and Debian have unwanted services running at first boot, but it's ages since I looked at Red Hat. The distro I install the most is Mandrake 9.1 (because it has a high initial success rate on $random_laptop_hardware IME).

Specifically, towards then end of the installer, you're prompted (if you've selected server x, y and z), that they're on by default and is this OK. Then (about two screens later) gives you a list of services that will run on boot which you can toggle on or off.

The only running services you can't change / stop listening before the first boot is the X-server which (IIRC) only listens on the loopback and is blocked by netfilter. SSH isn't installed by default, nor is sendmail.

So, very distro-specific, but for where I install it, it's easier to stop X listening on the loopback than to harden Win2K / XP on umpteen laptops.

I was speaking in general terms. I am fully aware that *nix is easier to harden than a Windows machine. Believe me, no arguement there. But just about every Linux install (I'm sure there are other exceptions than the one you mentioned, too) will have unnecessary services running. I did install mandrake 9.1 one time, and I admit, I did forget that it does give you the option at install to toggle off unnecessary services. Maybe, when I said sendmail was running on most of them it should have said "some" of them. But anyways, the point I was trying to make is that, in general, Linux is not necessarily in a secure state after the installation.

Are there still clueful windoze admins about? I work for a HUGE services company and it took them 10 days to respond to a "can I get read access to \\server\foo to download my new project?" When they did respond, they said " are you running XP or 2K?" WTF? Hey, after 1 day I just found someone else to get it for me. BTW, this is the shortest story, not the worst story.

Prior to this most of the big companies I did business had admin staffs that with were so lacking in knowledge that their managers were frightened to death of touching the servers. They might as well have run on black magic voodoo for all they knew. Tell them they needed a vital security patch and they would hem and haw for weeks trying to avoid having any problems blamed on them.

And yes, it is very easy to programatically raise the access level for exploits in windoze (you have to to right a shutdown program), but so many people run as local admins anyway...the true open door is MS Office VBA exploits. Oh man, that's a fertile environment.

I have 5. No clue = no job.

maybe they don't like you? (joke)

Not on my network - no-one runs as root / admin. Messing with your machine is just asking to be given a typewriter for a week. (Yes, it has been done, they deserved it and their line manager laughed when they complained to him).

Quote:

Originally posted by sick-o-windoze Are there still clueful windoze admins about? Oh man, that's a fertile environment.

Yes it is! I have plunged deep into my doz boxes - - but I am outa doz now but I still know a bit about it. The most useful tool I ever enjoyed was Zone Labs Zonealarm firewall. After that was how to work in the registry editor, sadly an -after the fact- deal.

More than you might think. My job description is installing hardware/software for enterprises, so I see more networks than most people. I'd say maybe 1 in 4 or 5 companies actually have pretty decent IT teams. OK, so the ratio is horrible, but that does mean there are a lot of people out there who know their stuff.

Possibly the most bizzre install I ever did was trying to show a guy how to use our software while he was RDP'ing into about 40 servers and installing the patch on them for the RPC/DCOM exploit, desparately trying to beat Lovesan/Blaster. Talk about overworked and underpaid