A security configuration question

A security configuration question

Post by Hog Ride » Wed, 08 Mar 2000 04:00:00



I'm using RH6.1 as a NAT between a DSL Internet connection and a private
network.  All the latest patches are applied periodically.  The machines on
the private network just need to use "standard" Internet services, such as
POP3, WWW, FTP, etc.  My Linux box is the private network's DNS.

Some configuration information is included below.  Have I missed anything?

Thanks.

Rider


on any
replies.

PSS:  This is attempt 2 to post (more ISP problems).  Sorry about any
duplications.  This belongs in c.o.l.security, but I can't seem to post
there.  If some kind person in c.o.l.networking would cross-post it for
me...  :)

Thanks again!

    * * * *

Services running:  Telnet, FTP, named

hosts.allow:
    ALL: 192.168.0.

hosts.deny:
    ALL: ALL

named.conf:
    options
    {
        <snip>
        allow-query
        {
            192.168.0/24;
            127.0.0.1;
        };
        <snip>
    };
    <snip>

ipchains config:
    ipchains -P forward DENY
    ipchains -A forward -s 192.168.0.0/24 -j MASQ
    /sbin/modprobe ip_masq_ftp

 
 
 

A security configuration question

Post by Tim Hayne » Wed, 08 Mar 2000 04:00:00




> on any replies.

Done

Quote:> PSS:  This is attempt 2 to post (more ISP problems).  Sorry about any
> duplications.  This belongs in c.o.l.security, but I can't seem to post
> there.  If some kind person in c.o.l.networking would cross-post it for
> me...  :)

It's already in c.o.l.s.

Quote:> I'm using RH6.1 as a NAT between a DSL Internet connection and a private
> network.  All the latest patches are applied periodically.  The machines
> on the private network just need to use "standard" Internet services,
> such as POP3, WWW, FTP, etc.  My Linux box is the private network's DNS.

> Some configuration information is included below.  Have I missed anything?

[]
I didn't see anything wrong with hosts.{allow,deny}, as long as you're
denying by default then allowing what you need, you'll be OK as far as
inetd+portmapper stuff goes.

Quote:> ipchains config:
>     ipchains -P forward DENY
>     ipchains -A forward -s 192.168.0.0/24 -j MASQ
>     /sbin/modprobe ip_masq_ftp

This is where you're missing something. Like, an
        ipchains -P input DENY
        ipchains -d 0.0.0.0/0.0.0.0 113 -i whateverinterface -j REJECT
and then something creative involving allowing packets without the SYN flag
set and logging incoming stuff that /does/ have SYN set. Oh, and allow DNS
over UDP as well. But that should just about suffice.

HTH :)

~Tim
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-
| The sun is melting over the hills,         | http://www.glutinous.custard.org


 
 
 

A security configuration question

Post by Jean-Sebastien Morisse » Mon, 13 Mar 2000 04:00:00



> ipchains config:
>     ipchains -P forward DENY
>     ipchains -A forward -s 192.168.0.0/24 -j MASQ
>     /sbin/modprobe ip_masq_ftp

Well, you're kinda leaving yourself wide open to portscans, etc. I guess if
your Linux box isn't offering *anything* to the outside world, then you
might be ok. Personally, I don't take any chances, I firewall my external
interface.

There are several good rc.firewall scripts floating around, but (of course)
I tend to prefer mine. You can check it out at
<http://www.jsmoriss.dyndns.org/linux/rc.firewall>.

LateR!
js.
--

Personal Homepage <http://www.jsmoriss.dyndns.org/>;
UNIX, the Internet, Homebrewing, Cigars, PCS, and other Fun Stuff...
This is Linux Country. On a quiet night you can hear Windows NT reboot!

 
 
 

1. NIS+ security questions/configuration

This has been an annoying, ongoing problem:

I am currently looking at implementing NIS+ within our organization but I seem to be having
problems getting clear information regarding the security benefits/restrictions with using NIS+.
 The main reference book I've been using is Ramsey's "All About Administering NIS+".  It's
written clearly but organized horribly(IMHO)!  I've also been using O'Reilly's "Practical UNIX
Security" as an introduction into aspects of encryption (DES as implemented by Secure RPC).

I've been under the impression that, within an NIS+ namespace, principals with DES credentials
can remotely login to other NIS+ clients/servers without transmitting their password across the
Ethernet.  So far, when I've SNOOPED the segment where these machines are located I've seen
passwords transmitted in cleartext!  Am I misunderstanding the 'benefits' of Secure RPC and NIS+
or am I not configuring my clients and servers correctly?  My ultimate goal is encryption of, at
least, the login aspect of a telnet session.

If anyone has any info on this, please send me your knowledge!  I've spent too many hours finding
a void on this subject!

I will summarize all responses I get.

TIA

David Shattuck

2. mail to internet from lan

3. AIX V3 security configuration question

4. phone assistant card!!!

5. Question: C2 Security Configuration for general Unix and Solaris/Trusted Solaris (Auditing)

6. Priority-based real-time futexes v1.0 for 2.5.52

7. A security configuration question

8. ~user 403 error

9. comp.security.unix and comp.security.misc frequently asked questions