On Tue, Feb 3, 2015 at 1:01 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> >> >> Yes, computers and the way people access them are pretty much a >> commodity now. If you are spending time building something exotic for >> a common purpose, isn't that a waste? > > Do I have to take that people who are not sysadmins themselves just hate > an existence of sysadmins?No, I think there are better things for sysadmins to do than fix settings that should have had better defaults.>> There are probably still people that take their cars apart to check >> that they were assembled correctly too. But that doesn't mean that >> things should not be shipped with usable defaults. >> > > No, I'm not the driver of my cars, I mean computers. I am a mechanic of > racing car competition team, my cars go into competition, and the life of > driver riding it depends on me having taken the whole mechanism apart, and > making sure nothing breaks and kills driver and hundreds of spectators.So don't you think it would be a good thing if the thing was built so it didn't break in the first place? That is, so nobody gets killed running it as shipped, even it they don't have your magical expertise?> I really hate these car analogies. They are counter-productive. In your > eyes my server is indeed a commodity, which I refuse to agree with pretty > much like I refuse to join ipad generation. My ipad would be commodity, > but I for one will never trust that ipad and will not originate connection > to secure box from it.The point I'm trying to make is that whatever setting you might make on one computer regarding security would probably be suitable for a similar computer doing the same job in some other company. And might as well have been the default or one of a small range of choices. And in particular, rate limiting incorrect password attempts and/or providing notifications about them by default would not be a bad thing. Unless there's some reason you need brute-force attacks to work... -- Les Mikesell lesmikesell at gmail.com
On Tue, 2015-02-03 at 13:15 -0600, Les Mikesell wrote:> No, I think there are better things for sysadmins to do than fix > settings that should have had better defaults.How can any SysAdmin (= System Administrator) administer something he or she is uncertain about ? The job of any system administrator is to poke their nose in and ensure everything is absolutely fine. No looking or no checking can not provide the necessary reassurance everything is absolutely fine *AND SAFE*. -- Regards, Paul. England, EU. Je suis Charlie.
On Tue, Feb 3, 2015 at 11:15 AM, Les Mikesell <lesmikesell at gmail.com> wrote:> On Tue, Feb 3, 2015 at 1:01 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote: >>Perhaps the Simplified Linux Server Special Interest Group http://wiki.centos.org/SpecialInterestGroup/SLS could benefit from contributions from each of you?
On Tue, February 3, 2015 1:15 pm, Les Mikesell wrote:> On Tue, Feb 3, 2015 at 1:01 PM, Valeri Galtsev > <galtsev at kicp.uchicago.edu> wrote: >> >>> >>> Yes, computers and the way people access them are pretty much a >>> commodity now. If you are spending time building something exotic for >>> a common purpose, isn't that a waste? >> >> Do I have to take that people who are not sysadmins themselves just hate >> an existence of sysadmins? > > No, I think there are better things for sysadmins to do than fix > settings that should have had better defaults.Disagree. Ensure of security of the box is sysadmin's duty. It is in job description. Job to be done.> >>> There are probably still people that take their cars apart to check >>> that they were assembled correctly too. But that doesn't mean that >>> things should not be shipped with usable defaults. >>> >> >> No, I'm not the driver of my cars, I mean computers. I am a mechanic of >> racing car competition team, my cars go into competition, and the life >> of >> driver riding it depends on me having taken the whole mechanism apart, >> and >> making sure nothing breaks and kills driver and hundreds of spectators. > > So don't you think it would be a good thing if the thing was built so > it didn't break in the first place? That is, so nobody gets killed > running it as shipped, even it they don't have your magical expertise?I regret I let myself be dragged into car analogy. Once again, I'm not "driving" my machines.> >> I really hate these car analogies. They are counter-productive. In your >> eyes my server is indeed a commodity, which I refuse to agree with >> pretty >> much like I refuse to join ipad generation. My ipad would be commodity, >> but I for one will never trust that ipad and will not originate >> connection >> to secure box from it. > > The point I'm trying to make is that whatever setting you might make > on one computer regarding security would probably be suitable for a > similar computer doing the same job in some other company. And might > as well have been the default or one of a small range of choices. > And in particular, rate limiting incorrect password attempts and/or > providing notifications about them by default would not be a bad > thing. Unless there's some reason you need brute-force attacks to > work...It is possible that system vendor does what you call better job. I do welcome, e.g., "--hitcount" iptables option used in firewall CentOS comes with. (But some may hate that, and I respect their demand for their boxes). This doesn't mean I will not take a look into configuration at least once, and add what I have "certified" in my kickstart file. This probably is where we do diverge. I do not configure all end every box, I do necessary job with one system class for each of OS releases... --> kickstart, but minor tweaks may still be necessary depending on particular tasks on the box. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Tue, February 3, 2015 1:37 pm, PatrickD Garvey wrote:> On Tue, Feb 3, 2015 at 11:15 AM, Les Mikesell <lesmikesell at gmail.com> > wrote: >> On Tue, Feb 3, 2015 at 1:01 PM, Valeri Galtsev >> <galtsev at kicp.uchicago.edu> wrote: >>> > Perhaps the Simplified Linux Server Special Interest Group > http://wiki.centos.org/SpecialInterestGroup/SLS > could benefit from contributions from each of you?This sounds flattering, but no, I'm done with that, no noise from me here ;-) so... unless someone wants to pipe that. And improve the statements. And one can put his name under that. As at least what I was saying is so common knowledge IMHO. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++