1) 5.b. /etc/limits: "Here we set the default settings and a specific setting for the user kn. Limits are part of the sys-apps/shadow package. It is not necessary to set any limits in this file if you have disabled pam in make.conf or not configured PAM properly." /etc/limits is used when you don't have /etc/security/limits.conf provided by PAM, so why one shouldn't use it with pam disabled? 2) 10.a. Apache Listen 127.0.0.1 This will cause apache to be accessible *ONLY* from localhost... I don't think this is an intended behavoiur... 3) 10.k. ssh The same with sshd: ListenAddress 127.0.0.1 The host will be unreachable from a remote client with this option Thanks, Marco
With regards to 2 and 3, it is standard to only allow localhost connections as default. It does say: #Make it listen on your ip ..but what default is supposed to be provided? It's not like we know their external IP is it? ;) This way, if a user just copies everything they can still test the service and use it as a local development box. If they don't know that 127.0.0.1 is localhost, or what their own IP is, I don't personally think it's wise to open the service up for remote use. The default settings should be secure.
/etc/limits: Why not? Because as far as I know, nothing else will use it if PAM is disabled. Apache and ssh: those are just the defaults; you are obviously supposed to modify them for your own system...and we can't guess what those values should be. Not a bug, but you have made me review some stale security handbook files that I will shortly update. :)
mmm i'm not sure about the apache/ssh things ... how many people out there have more than one IP ? i feel like the default person setting up their system, neither line is of any real value as for 5.b, the logic seems to be inverted ... this statement: It is not necessary to set any limits in this file if you have disabled pam in make.conf or not configured PAM properly. should probably read: It is not necessary to set any limits in this file if you have enabled pam in make.conf.
(In reply to comment #3) > mmm i'm not sure about the apache/ssh things ... how many people out there have > more than one IP ? i feel like the default person setting up their system, > neither line is of any real value > Hmm, maybe for sshd in that people usually set it up for someone to login and help, but in the case of apache the default setup is fine. On a workstation, I feel it should default to localhost until the user changes it. Adding a note to mention that users should set their own IP does make sense, however.
Fixed with vapier's suggestions.