Re: Firewalling

[Kevin]

First of all I'd like to thank everyone for pretty much supporting my
opinion of the whole matter.  I didn't feel that blocking end user ports for
them was good practice.  And I'd also like to say that I totally agree with
this statement from elyograg "You'd be better off spending the money on
overtime for the administrator(s) than firewall software and/or hardware."
As I'm the admin I think its got a lot of valor.  Anyway can anyone
recommend any books or sites that could help me in adding the acl's to the
cisco.

Thanks again,

Kevin

Re: Easier administration (similar to Linuxconf)

[Mailing List]

Well... its true... if people wrote enough modules for Linuxconf, then it
could, theoretically, have functionality similar to colbat servers.

However... even if you don't have all those modules, at least standardize
on some common tools, and make the functionality similar, if not better,
than colbat servers. I know colbat servers don't have exim and smail,
zmailer, etc. ... only sendmail (by default, afaik). And that allows them
to make the interface and everything work PROPERLY and FULLY with just that
server. If someone wrote something like that, and they said "either use
Apache, Sendmail, webalizer and majordomo, or don't use Linuxconf", i
wouldn't have a beef. You can't expect people to write a module for
everything under the sun. But at least get the few modules really working
with full customization.

I hope you guys know what i mean. I don't expect it to work with
everything. But get something working like Colbat servers... only a few
package options, but those packages, once installed, can be fully
customized easily, and the configs can be distributed to many servers
easily, without hassle and fuss.

I'd be willing to help out a bit if someone shared the same philosophy as I
do :-)

Oh.. and I know i could do this all with scripts, write it all myself, but
thats not the point. I mean... i don't admin hundreds of servers... but its
enough to make manually configuring each a time consuming hassle. If
something is already out there, why would i need to write scripts? Why not
pool all our efforts towards one project and get it working properly? :-)

Jason.


- Original Message -
From: "I. Forbes" <[EMAIL PROTECTED]>
To: ; "Mailing List" <[EMAIL PROTECTED]>
Sent: Thursday, March 30, 2000 8:40 PM
Subject: Re: Easier administration (similar to Linuxconf)


> Hello All
>
> On 29 Mar 00, at 16:20, Smoerk wrote:
>
> > > You know the "web-enabled" administration software used by Colbat
servers?
> > > I was wondering if anything for Linux (and hopefully debanized) was
> > > similar?
> >
> > Maybe Webmin (www.webmin.com)?
> > But why don't you write some scripts, which setup a default
> > configuration? A config tool is not faster than doing the same in the
> > config files. It's easier, but not faster.
>
> I have also been thinking about this problem for a while. Specifically
> I would like an interface to allow the following.
>
> Users to do things like:
>
> - change passwords
> - change their ".forward" file settings.
>
> And a semi privileged non-root administrator to:
>
> - add and delete users
> - change other users passwords (but not root password)
> - view other users's mail
> - edit /etc/aliases
>
> I have looked at linux.conf and webmin.  Linux.conf seems to be an
> overkill and too experimental (especially on Debian) to let loose on
> semi-skilled admins.  Webmin seemed to climb in and edit files
> without any regard for standard system tools. I had a look at the
> coding of an early version and decided to leave it.  It may be better
> by now.
>
> My idea was to find or write simple console based, but menu driven
> tools for doing these tasks.  These could be accessed from the
> linux console, telnet, xterm or from a web page via the java telnet
> client.
>
> It has the major advantage over linux.conf and webmin in that
> everything that runs on the linux box runs under the users own uid
> which is much simpler to secure than anything that works off a www
> interface and runs suid root.
>
> Has anybody got any console based, menu driven scripts to start
> with?
>
> -
> Ian Forbes ZSD
> http://www.zsd.co.za
> Office: +27 +21 683-1388  Fax: +27 +21 64-1106
> Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa
> -
>

Re: mod_ssl help

[Tamas TEVESZ]

On Thu, 30 Mar 2000, Jaume Teixi wrote:

 > Once time I've the package mod_ssl and openssl, where can I find the
 > step by step procedure for build ssl on my apache ?

www.modssl.org has a nice documentation

-- 
[-]
kazmer at any cost !

mod_ssl help

[Jaume Teixi]

Once time I've the package mod_ssl and openssl, where can I find the
step by step procedure for build ssl on my apache ?

thanks
begin:vcard 
n:Teixi;Jaume
tel;fax:972 46 31 14
tel;work:972 46 30 50
x-mozilla-html:TRUE
url:http://www.6tems.com
org:6TEMS;Ducform, SA
adr:;;Pla de l'Estany, s/n;CASSÀ DE LA SELVA;Girona;17244;Spain
version:2.1
email;internet:[EMAIL PROTECTED]
title:Administrador de Sistemes
x-mozilla-cpt:;3
fn:Jaume Teixi
end:vcard

Re: Easier administration (similar to Linuxconf)

[I. Forbes]

Hello All

On 29 Mar 00, at 16:20, Smoerk wrote:

> > You know the "web-enabled" administration software used by Colbat servers?
> > I was wondering if anything for Linux (and hopefully debanized) was
> > similar?
> 
> Maybe Webmin (www.webmin.com)?
> But why don't you write some scripts, which setup a default
> configuration? A config tool is not faster than doing the same in the
> config files. It's easier, but not faster.

I have also been thinking about this problem for a while. Specifically 
I would like an interface to allow the following.

Users to do things like:

- change passwords 
- change their ".forward" file settings.

And a semi privileged non-root administrator to: 

- add and delete users
- change other users passwords (but not root password)
- view other users's mail
- edit /etc/aliases 

I have looked at linux.conf and webmin.  Linux.conf seems to be an  
overkill and too experimental (especially on Debian) to let loose on 
semi-skilled admins.  Webmin seemed to climb in and edit files 
without any regard for standard system tools. I had a look at the 
coding of an early version and decided to leave it.  It may be better 
by now.

My idea was to find or write simple console based, but menu driven 
tools for doing these tasks.  These could be accessed from the 
linux console, telnet, xterm or from a web page via the java telnet 
client.

It has the major advantage over linux.conf and webmin in that 
everything that runs on the linux box runs under the users own uid 
which is much simpler to secure than anything that works off a www 
interface and runs suid root.

Has anybody got any console based, menu driven scripts to start 
with?

-
Ian Forbes ZSD
http://www.zsd.co.za
Office: +27 +21 683-1388  Fax: +27 +21 64-1106
Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa
-

Debian package of bigwig 1.2

[Stephane Bortzmeyer]

In case someone is interested, I've made a Debian package of bigwig 
 1.2 here:

ftp://ftp.internatif.org/pub/debian/UNOFFICIAL/

Debian users can fetch it with apt or by hand.

BigWig is a really interesting tool to create interactive Web servers in a 
high-level fashion. It is free (GPL).

Re: Firewalling

[elyograg]

At 08:31 PM 3/29/2000 -0700, Kevin wrote:
I'm not really sure if I should post this to the isp list or this one, but
anyway.  I work for a fairly small isp and the management told me they want
me to put some sort of firewall in front of the router.  Actually their
first idea was a firewall in front of the router, then one behind the
router, then to the servers.  I'm curious what kind of effect having a
firewalled router will have on the dialup customers as well as certain
servers like a shell provider.  Also what would I firewall from the router.
I don't want to really restrict any ports for end dialup users as I've had
personal experience with this, and it can be a pain.  Any ideas, comments,
or short poems about how great I am would be greatly appreciated.
First, a little full disclosure to point out the source of my Cisco 
bias:  I spent six months working on Cisco's Partner/Reseller presales 
line, and I now work in the SMB TAC, supporting the smaller IOS 
routers.  In addition to this, I keep a small ISP going, running Debian 
exclusively.

Note that the statements below only represent my opinion.  They are stated 
in a manner that suggests that they are cold hard facts, so I wanted to add 
this disclaimer. :)  They are also pretty much restatements of the last two 
replies to this message.

A Cisco router, even with a basic IP only feature set, can be locked down 
with access lists to a point of absurdity.  A single access list with a 
handful of lines can make it impossible to contact anything on the network 
except a few TCP servers, yet allow almost anything on the inside to get to 
the internet.

In general, firewalling in an ISP environment is a bad idea.  The whole 
idea of an ISP is open, unrestricted access to the Internet.  Aside from 
creating access lists to minimize IP spoofing, there are certain things an 
ISP may consider blocking on a near-global basis.  These include outbound 
SMTP, NetBIOS ports, and the like.  Even for these, it is usually best done 
directly on the access servers, not at the core.  It's the dialup users 
that you want to protect, and shield the 'net from. :)

The only exception to the general rule of no firewalling would be personal 
and administrative workstations - computers that need to access the servers 
and the internet, but have no reason to be accessed from the 
outside.  These ideally should use PAT/masquerading to a private network so 
that there is absolutely no possibility of direct outside contact -- but 
this doesn't require a firewall.  It can be done with a router, or with Linux.

If the administrators are doing their jobs, there's no need for a 
firewall.  Every server will have open ports for only those services that 
they actually need, and no others.  The daemons that serve those requests 
will be the most stable and secure versions that can be found, reasonably 
safe from attack.  Interaction between servers will be limited to only 
necessary connections from authorized addresses - NFS, DNS zone transfers, 
ssh, etc.  Shell access to each machine will be granted to only those 
administrators and/or users that actually require it, or have paid for 
it.  In other words, a security policy will be created and strictly enforced.

The summary:  You'd be better off spending the money on overtime for the 
administrator(s) than firewall software and/or hardware. :)  In a service 
provider setting, all a firewall really amounts to is either a band-aid for 
bad administration, or peace of mind for the suits.  And for that peace of 
mind, you can't beat a PIX. :)

--- gratuitous (and very bad) attempt at flattering poetry ---
Kevin is but a cog in the machine.
It's an important piece, though.
Please do not feed the fishes.
---
Thanks,
Shawn
--
It was only after their numbers had been reduced from 50 to 8 that the 
other 7 dwarves began to suspect Hungry of cannibalism.

Re: Firewalling

[Chris Wagner]

I think firewalls are overrated.  They only do anything if there are some
*unsecured* computers on your network that need protection.  It's better to
just lock down every machine, that way you're also protected from internal
attacks.  Really, the only thing I think that justifies them is port
blocking.  Your router can already do ip based filtering.  Now how do you
decide what ports to block?  It turns out you have to be a little facist
about it.  Because you're deciding for other people what ports they "should"
be using and which ones they "shouldn't".  Windows is an operating system
that probably does need protection though.


At 08:31 PM 3/29/00 -0700, Kevin wrote:
>router, then to the servers.  I'm curious what kind of effect having a
>firewalled router will have on the dialup customers as well as certain
>servers like a shell provider.  Also what would I firewall from the router.
>I don't want to really restrict any ports for end dialup users as I've had

You can have your firewall restrict ports on a per ip basis.

+---+
|-=I T ' S  P R I N C I P L E  T H A T  C O U N T S=-   |
|=-  -=ALAN KEYES FOR PRESIDENT=- -=|
| Balanced Budgets Personal Freedoms Morality Lower Tax |
|=--  http://www.Keyes2000.com.  --=|
+———+

Re: Firewalling

[John Gonzalez/netMDC admin]

For one, if you are planning on firewalling the router, your firewall
becomes your router.

You are going to have to have some type of WAN interface installed on your
firewall in order to even have your network work.

Secondly, you should be able to secure a cisco router from remote attack.
You cant prevent DOS attacks, but you cant do that even with a firewall.

Thirdly, you should be able to put strict access lists into your cisco
router to pretty much keep the honest people honest.

Finally, you should be able to put some type of firewall behind the router
and in front of your LAN. Keep in mind however, that a firewall is not a
magic wall that will keep you safe from harm. It's still very easy for
some user on the secure side to run a program and become a back door and
pipeline for a hacker on the outside to wreak havoc on all the computers
on the inside.

It sounds to me like you have alot of research to do before you should
attepmt this type of install, or perhaps hire some consultant.

On Wed, 29 Mar 2000, Kevin wrote:

>I'm not really sure if I should post this to the isp list or this one, but
>anyway.  I work for a fairly small isp and the management told me they want
>me to put some sort of firewall in front of the router.  Actually their
>first idea was a firewall in front of the router, then one behind the
>router, then to the servers.  I'm curious what kind of effect having a
>firewalled router will have on the dialup customers as well as certain
>servers like a shell provider.  Also what would I firewall from the router.
>I don't want to really restrict any ports for end dialup users as I've had
>personal experience with this, and it can be a pain.  Any ideas, comments,
>or short poems about how great I am would be greatly appreciated.
>
>
>
>
>--  
>To UNSUBSCRIBE, email to [EMAIL PROTECTED]
>with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
>

  ___   _  __   _  
__  /___ ___    /__  John Gonzalez/Net.Tech
__  __ \ __ \  __/_  __ `__ \/ __  /_  ___/ MDC Computers/netMDC!
_  / / / `__/ /_  / / / / / / /_/ / / /__ (505)437-7600/fax-437-3052
/_/ /_/\___/\__/ /_/ /_/ /_/\__,_/  \___/ http://www.netmdc.com
[-[system info]---]
  8:25pm  up 65 days,  4:22,  4 users,  load average: 0.09, 0.16, 0.25

Firewalling

[Kevin]

I'm not really sure if I should post this to the isp list or this one, but
anyway.  I work for a fairly small isp and the management told me they want
me to put some sort of firewall in front of the router.  Actually their
first idea was a firewall in front of the router, then one behind the
router, then to the servers.  I'm curious what kind of effect having a
firewalled router will have on the dialup customers as well as certain
servers like a shell provider.  Also what would I firewall from the router.
I don't want to really restrict any ports for end dialup users as I've had
personal experience with this, and it can be a pain.  Any ideas, comments,
or short poems about how great I am would be greatly appreciated.