On Tue, February 3, 2015 1:15 pm, Les Mikesell wrote:
On Tue, Feb 3, 2015 at 1:01 PM, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
Yes, computers and the way people access them are pretty much a commodity now. If you are spending time building something exotic for a common purpose, isn't that a waste?
Do I have to take that people who are not sysadmins themselves just hate an existence of sysadmins?
No, I think there are better things for sysadmins to do than fix settings that should have had better defaults.
Disagree. Ensure of security of the box is sysadmin's duty. It is in job description. Job to be done.
There are probably still people that take their cars apart to check that they were assembled correctly too. But that doesn't mean that things should not be shipped with usable defaults.
No, I'm not the driver of my cars, I mean computers. I am a mechanic of racing car competition team, my cars go into competition, and the life of driver riding it depends on me having taken the whole mechanism apart, and making sure nothing breaks and kills driver and hundreds of spectators.
So don't you think it would be a good thing if the thing was built so it didn't break in the first place? That is, so nobody gets killed running it as shipped, even it they don't have your magical expertise?
I regret I let myself be dragged into car analogy. Once again, I'm not "driving" my machines.
I really hate these car analogies. They are counter-productive. In your eyes my server is indeed a commodity, which I refuse to agree with pretty much like I refuse to join ipad generation. My ipad would be commodity, but I for one will never trust that ipad and will not originate connection to secure box from it.
The point I'm trying to make is that whatever setting you might make on one computer regarding security would probably be suitable for a similar computer doing the same job in some other company. And might as well have been the default or one of a small range of choices. And in particular, rate limiting incorrect password attempts and/or providing notifications about them by default would not be a bad thing. Unless there's some reason you need brute-force attacks to work...
It is possible that system vendor does what you call better job. I do welcome, e.g., "--hitcount" iptables option used in firewall CentOS comes with. (But some may hate that, and I respect their demand for their boxes). This doesn't mean I will not take a look into configuration at least once, and add what I have "certified" in my kickstart file. This probably is where we do diverge. I do not configure all end every box, I do necessary job with one system class for each of OS releases... --> kickstart, but minor tweaks may still be necessary depending on particular tasks on the box.
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++