[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
BCP from NANOG: turn it off
While the opsec docs are mostly about what CAN be set, not how things
SHOULD be set, one setting suggestion was made @ NANOG (by Jared
Mauch, thanks !) that deserves inclusion:
x.x.x Listening Services Should Be Off By Default
Requirement. Services that cause the device to listen for traffic
destined for itself SHOULD be off by default. The user SHOULD
have to take explicit actions to enable any such services.
Justification. Open ports have the potential to expose
vulnerabilities. The user, not the vendor, should decide which
services are required and what risks to accept. This will also
prevent systems from being compromised through the misuse of
services which the user was unaware were enabled.
Examples. If the device supports SSH, HTTP, telnet and SNMP, in the
default configuration they should all be disabled.
Warnings. None.
George M. Jones, | Spam is to email as decay particles are
JAPH | to nuclear waste.
gmj@pobox.com |