On Tue, February 3, 2015 1:15 pm, Les Mikesell wrote: > On Tue, Feb 3, 2015 at 1:01 PM, Valeri Galtsev > <galtsev at kicp.uchicago.edu> wrote: >> >>> >>> Yes, computers and the way people access them are pretty much a >>> commodity now. If you are spending time building something exotic for >>> a common purpose, isn't that a waste? >> >> Do I have to take that people who are not sysadmins themselves just hate >> an existence of sysadmins? > > No, I think there are better things for sysadmins to do than fix > settings that should have had better defaults. Disagree. Ensure of security of the box is sysadmin's duty. It is in job description. Job to be done. > >>> There are probably still people that take their cars apart to check >>> that they were assembled correctly too. But that doesn't mean that >>> things should not be shipped with usable defaults. >>> >> >> No, I'm not the driver of my cars, I mean computers. I am a mechanic of >> racing car competition team, my cars go into competition, and the life >> of >> driver riding it depends on me having taken the whole mechanism apart, >> and >> making sure nothing breaks and kills driver and hundreds of spectators. > > So don't you think it would be a good thing if the thing was built so > it didn't break in the first place? That is, so nobody gets killed > running it as shipped, even it they don't have your magical expertise? I regret I let myself be dragged into car analogy. Once again, I'm not "driving" my machines. > >> I really hate these car analogies. They are counter-productive. In your >> eyes my server is indeed a commodity, which I refuse to agree with >> pretty >> much like I refuse to join ipad generation. My ipad would be commodity, >> but I for one will never trust that ipad and will not originate >> connection >> to secure box from it. > > The point I'm trying to make is that whatever setting you might make > on one computer regarding security would probably be suitable for a > similar computer doing the same job in some other company. And might > as well have been the default or one of a small range of choices. > And in particular, rate limiting incorrect password attempts and/or > providing notifications about them by default would not be a bad > thing. Unless there's some reason you need brute-force attacks to > work... It is possible that system vendor does what you call better job. I do welcome, e.g., "--hitcount" iptables option used in firewall CentOS comes with. (But some may hate that, and I respect their demand for their boxes). This doesn't mean I will not take a look into configuration at least once, and add what I have "certified" in my kickstart file. This probably is where we do diverge. I do not configure all end every box, I do necessary job with one system class for each of OS releases... --> kickstart, but minor tweaks may still be necessary depending on particular tasks on the box. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++