Re: [Sheflug] Security

[Barrie Bremner <nospam [at] ecosse.net>]

Martin P Holland wrote:
> 
> On Sun, 03 Sep 2000, Craig Andrews wrote:
> >I used this yesterday, and found the following ports were open
> >to all:
> >
> >21 - FTP
> >
> >23 - Telnet

 If you do need to connect to your box, set up ssh (version 1.x.xx or
OpenSSH) and use ipchains or tcp wrappers (/etc/hosts.allow|deny) to
only allow connections from trusted IP addresses (i.e. your network and
maybe a work IP if you need it).
 Shut telnet down altogether.
 FTP can be shut off to, and scp (Secure CoPy that comes with ssh) can
be used to copy files and directories, or again edit /etc/hosts.allow
and /etc/hosts.deny and/or use ipchains to restrict connections.

> (1) /etc/inetd.conf and # are your friend
> 
> >25 - SMTP
> 
> (*) I suggest a firewall that disables connections to any privileged ports
> unless you make a specific exception.
> 
> >79 - Finger
> 
> (1)
> 
> >80 - HTTP
> 
> See (*) But also turn off apache if you are not using it.
> chkconfig --del httpd
> /etc/rc.d/init.d/httpd stop
> 

 Also edit your startup scripts (or use the setup command on a RH
system) to ensure that everything else you don't want (i.e. sendmail,
atd, portmap, apmd, nfs, yp services, smb) doesn't start again at the
next reboot.
 I don't run too may things on my box.

 Baz.

 To reuse an old phrase: just because you aren't paranoid, doesn't mean
they're not out to get you :-)

--
Barrie J. Bremner

Email:     TheEnglishman [at] ecosse.net
           (PGP public key available at pgp.mit.edu)

URL:       http://www.geocities.com/thefatenglishman

Telephone: UK 01672 811246
Mobile:    UK 07968 792975

 Help Micro$oft wipe out piracy - get Linux.
---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.