A security configuration question

A security configuration question

Post by Hog Ride » Mon, 06 Mar 2000 04:00:00



I'm using RH6.1 as a NAT between a DSL Internet connection and a private
network.  All the latest patches are applied periodically.  Some
configuration information is included below.  The machines on the private
network just need to use "standard" Internet services, such as POP3, WWW,
FTP, etc.  My Linux box is the private network's DNS.  Have I missed
anything?

Thanks!

Rider

PS:  I'm having ISP problems w/ my news server.  Please cc: me on any
replies.  Thanks again.

    * * * *

Services running:  Telnet, FTP, named

hosts.allow:
    ALL: 192.168.0.

hosts.deny:
    ALL: ALL

named.conf:
    options
    {
        <snip>
        allow-query
        {
            192.168.0/24;
            127.0.0.1;
        };
        <snip>
    };
    <snip>

ipchains config:
    ipchains -P forward DENY
    ipchains -A forward -s 192.168.0.0/24 -j MASQ
    /sbin/modprobe ip_masq_ftp

 
 
 

A security configuration question

Post by Luke » Tue, 07 Mar 2000 04:00:00


Quote:> ipchains config:
>     ipchains -P forward DENY
>     ipchains -A forward -s 192.168.0.0/24 -j MASQ
>     /sbin/modprobe ip_masq_ftp

make it ipchains -A forward -i eth0 -s 192.168.0.0/24 -j MASQ
assuming eth0 is your external interface.  I would think that w/o the
interface specifier, crackers from the outside could spoof their address and
get your internal computers.  Try to be as specific as you can with every
rule.  The secret service wouldn't say "okay guys it's okay to let in a guy
if he's wearing jeans and a blue shirt.  Anyone could do that.  They'd say
jeans, blue shirt, black hair, 5'10", brown eyes, 170lbs, etc..."

Is this your entire firewall?  There's a lot left to do.  Head to
www.linux-firewall-tools.com to have better one built by a script there.

 
 
 

A security configuration question

Post by Hog Ride » Wed, 08 Mar 2000 04:00:00


I'm using RH6.1 as a NAT between a DSL Internet connection and a private
network.  All the latest patches are applied periodically.  The machines on
the private network just need to use "standard" Internet services, such as
POP3, WWW, FTP, etc.  My Linux box is the private network's DNS.

Some configuration information is included below.  Have I missed anything?

Thanks.

Rider


on any
replies.

PSS:  This is attempt 2 to post (more ISP problems).  Sorry about any
duplications.  This belongs in c.o.l.security, but I can't seem to post
there.  If some kind person in c.o.l.networking would cross-post it for
me...  :)

Thanks again!

    * * * *

Services running:  Telnet, FTP, named

hosts.allow:
    ALL: 192.168.0.

hosts.deny:
    ALL: ALL

named.conf:
    options
    {
        <snip>
        allow-query
        {
            192.168.0/24;
            127.0.0.1;
        };
        <snip>
    };
    <snip>

ipchains config:
    ipchains -P forward DENY
    ipchains -A forward -s 192.168.0.0/24 -j MASQ
    /sbin/modprobe ip_masq_ftp

 
 
 

A security configuration question

Post by Tim Hayne » Wed, 08 Mar 2000 04:00:00




> on any replies.

Done

Quote:> PSS:  This is attempt 2 to post (more ISP problems).  Sorry about any
> duplications.  This belongs in c.o.l.security, but I can't seem to post
> there.  If some kind person in c.o.l.networking would cross-post it for
> me...  :)

It's already in c.o.l.s.

Quote:> I'm using RH6.1 as a NAT between a DSL Internet connection and a private
> network.  All the latest patches are applied periodically.  The machines
> on the private network just need to use "standard" Internet services,
> such as POP3, WWW, FTP, etc.  My Linux box is the private network's DNS.

> Some configuration information is included below.  Have I missed anything?

[]
I didn't see anything wrong with hosts.{allow,deny}, as long as you're
denying by default then allowing what you need, you'll be OK as far as
inetd+portmapper stuff goes.

Quote:> ipchains config:
>     ipchains -P forward DENY
>     ipchains -A forward -s 192.168.0.0/24 -j MASQ
>     /sbin/modprobe ip_masq_ftp

This is where you're missing something. Like, an
        ipchains -P input DENY
        ipchains -d 0.0.0.0/0.0.0.0 113 -i whateverinterface -j REJECT
and then something creative involving allowing packets without the SYN flag
set and logging incoming stuff that /does/ have SYN set. Oh, and allow DNS
over UDP as well. But that should just about suffice.

HTH :)

~Tim
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-
| The sun is melting over the hills,         | http://www.glutinous.custard.org

 
 
 

A security configuration question

Post by Jean-Sebastien Morisse » Mon, 13 Mar 2000 04:00:00



> ipchains config:
>     ipchains -P forward DENY
>     ipchains -A forward -s 192.168.0.0/24 -j MASQ
>     /sbin/modprobe ip_masq_ftp

Well, you're kinda leaving yourself wide open to portscans, etc. I guess if
your Linux box isn't offering *anything* to the outside world, then you
might be ok. Personally, I don't take any chances, I firewall my external
interface.

There are several good rc.firewall scripts floating around, but (of course)
I tend to prefer mine. You can check it out at
<http://www.jsmoriss.dyndns.org/linux/rc.firewall>.

LateR!
js.
--

Personal Homepage <http://www.jsmoriss.dyndns.org/>;
UNIX, the Internet, Homebrewing, Cigars, PCS, and other Fun Stuff...
This is Linux Country. On a quiet night you can hear Windows NT reboot!

 
 
 

1. NIS+ security questions/configuration

This has been an annoying, ongoing problem:

I am currently looking at implementing NIS+ within our organization but I seem to be having
problems getting clear information regarding the security benefits/restrictions with using NIS+.
 The main reference book I've been using is Ramsey's "All About Administering NIS+".  It's
written clearly but organized horribly(IMHO)!  I've also been using O'Reilly's "Practical UNIX
Security" as an introduction into aspects of encryption (DES as implemented by Secure RPC).

I've been under the impression that, within an NIS+ namespace, principals with DES credentials
can remotely login to other NIS+ clients/servers without transmitting their password across the
Ethernet.  So far, when I've SNOOPED the segment where these machines are located I've seen
passwords transmitted in cleartext!  Am I misunderstanding the 'benefits' of Secure RPC and NIS+
or am I not configuring my clients and servers correctly?  My ultimate goal is encryption of, at
least, the login aspect of a telnet session.

If anyone has any info on this, please send me your knowledge!  I've spent too many hours finding
a void on this subject!

I will summarize all responses I get.

TIA

David Shattuck

2. LOCAL:St. Louis Linux Users Group First Meeting-July 20

3. A security configuration question

4. Cant login Properly to windows XP machine via Samba Mac OS 10.1

5. AIX V3 security configuration question

6. high performance ipfw bridge

7. Question: C2 Security Configuration for general Unix and Solaris/Trusted Solaris (Auditing)

8. LlinuxPPC R5 Cable Modem Speed?

9. comp.security.unix and comp.security.misc frequently asked questions