> We will be bringing a unix server shortly that will have some
> confidential data on it that will be used in medical research.
> The system needs to be on the internet for distribution of the
> data to the various research organizations involved. In
> addition to the other security measures that will be
> taken, I am considering taking the system off-line or even
> shutting it down nights and weekends. I'ld like to hear some
> ideas on how you might go about automating this. An automtic
> shutdown at 5:00 is easy but I'm not sure about an automatic
> startup the next morning. If I just kill tcp/ip for the night
> I'm not sure which deamons to kill and restart the next day.
> Another possibility might be some firewall type of software
> that can disable all network traffic for certain hours.
> If you have any ideas please email them to:
Another possibilty is to use your tcp-wrappers. The way I
usually did that was to have two directories in /etc called
/etc/open, and /etc/closed with two sets of hosts.* files in
each directory. Cron would move the ones out at night that
closed things down considerably, and then the less restrictive
ones out during the week days. It provides the additional
benefit of logging what the heck is going on. Works like a charm
both during the week and weekend. This can effectively close
down ALL of the inet services as desired. It just depends on
how you configure it.
If you are worried about the residual security holes left in
sendmail, I would advise replacing it with qmail or vmail when
(if?) it becomes available. If you HAVE to run sendmail, at least
do it with the latest one with smrsh.
Turning the beast off on weekends works for me, but that may
or may not be an option depending on the people that you are
working with. I have a feeling they will scream *y *
if you do it. If the data is especially sensitive, I assume
they will just have to live with it. You will have a problem of
mail boomeranging during that time but that is only a problem if
you have lots of email going into the machine.
It is NOT a good idea to kill the inetd (/usr/sbin/inetd -s
on Sun/Solaris), but if that is what you want to do, just
- at night -
- at morning -
You will probably also have to kill /usr/sbin/rpcbind, and
several other daemons as well. I am assuming Sun/Solaris
given the group you posted to and where you are at. If this
is wrong, let me know. I do NOT consider the killing of these
daemons an effective method! Once you start to do this, things
can really get screwed up forcing s reboot to clear things up.
The wrappers approach is much simpler and less likely to cause
Henry Hertz Hobbit
PS Ask Pieter B. if he agrees with my method...