Re: [Sheflug] Security

[Martin P Holland <nospam [at] noether.freeserve.co.uk>]

On Sun, 03 Sep 2000, Craig Andrews wrote:
>I used this yesterday, and found the following ports were open
>to all:
>
>21 - FTP
>
>23 - Telnet

(1) /etc/inetd.conf and # are your friend

>25 - SMTP

(*) I suggest a firewall that disables connections to any privileged ports
unless you make a specific exception.

>79 - Finger

(1)

>80 - HTTP

See (*) But also turn off apache if you are not using it.
chkconfig --del httpd  
/etc/rc.d/init.d/httpd stop

>110 - POP3

(1)

>113 - Ident

This is a tricky one. You _need_ ident if you plan to use IRC and also
many services you connect to will (pointlessly) do a quick ident lookup before
giving you what you're after (smtp or ftp etc etc). For that reason
blanket DENYing packets to port 113 is a mistake because you have to
wait for a timeout before you get access to the smtp/ftp/.. server.

So ideally you should default REJECT on this port and allow access
to the IPs of servers that insist on it. Personally I leave it open.

I wrote something at http://www.noether.freeserve.co.uk/secure.html
but note that these are simple precautions for a normal dial-up user rather than
for a server.

atb

Martin

-- 
http://www.shef.ac.uk/~pm1mph



---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.