Re: [expert] Off to camp once again.
Routed uses only the RIP (or RIP2) protocol to make routing decisions, whereas gated can use a variety of routing protocols. I admin firewall gateways for an ISP, and the only real reason I use gated is to speak OSPF to our exterior routers that won't speak RIP. Personally, if you don't need anything for routing but RIP, I'd investigate routed first-- it looks much easier to configure. Now if you don't need anything but static routes, then kill 'em both and write a rc script to set routes for you. Routing protocols are designed to dynamically change routes. If you only have one route coming into your box, then you don't have (or need programs for) dynamic routing. M. Eric Mings wrote: Thanks much for the replies. Very informative and helpful. I guess the only decision I need to make now is whether to nuke gated or routed. Does it make a difference? Thanks again. -- Regards, Eric Mings Ph.D. Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list. -- Michael Proto [EMAIL PROTECTED] http://www.mp3.com/protologic "What, me worry?" -A.E.Newman Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
Re: [expert] Off to camp once again.
Is postfix not necessary if your are going to be getting your security checks mailed to you ? I was initially under the impression that postfix did not have to run as a daemon for this (like sendmail) but my machines with postfix only send me mail when postfix is running (as opposed to the boxes with sendmail that always send mail) Buchan Matthew Micene wrote: On Mon, 16 Oct 2000, you wrote: [all snipped Content-Transfer-Encoding: 7bit] My suggestions and the reasoning behind it: Kill kudzu: you most likely won't be adding hardware. If you really want to use it, start it manually before installing hardware and kill it once you are done. There is no need to daemonize it. Kill ypbind: unless for some reason this machine is a NIS client, this is not needed and a HUGE security hole. if the box IS an NIS client AND you are coloing this box, god bless and pass the ammunition. Kill portmap: unless this is an NFS server, this is another gaping hole. I personally would not colo an NFS server, way to much unsecurable traffic floating on the Internet. Kill netfs and nfslock. again, this box should not be MOUNTING partitions across the Internet on a coloed box. This is for SMB Netware and NFS mounts, NOT recommended by me. kill pcmica: this isn't a laptop, no need for it gated or routed, pick one or the other. They serve the same purpose and WILL interfere with each other. kill named, postfix, httpd, proftpd and mysql unless you have a reason for running them (ie running (in order) a DNS server, a mail server, web server, ftp server or database server or backend) kill lpd, it is HIGHLY unlikely you are going to be using a coloed box as a printserver for any reason. And I can't imagine they are going to provide access to or space for a line printer for you to dump your logs to. Kill amd, unless you need to automount local partitions on the fly there is no need for this that I can think of on a server. Webmin runs its own http daemon. If you are using this to configure and control the box remotely, make sure you have the proper ipchains rules to shutdown access to unauthorized people for this service. Otherwise, shut it off. Xfs can be removed if you are not planning on running any remote X services from the box, and can be manually started and stopped should someone log in on the console and want to start X. Or upgrade to XFree86 4.0.1 that doesn't rely on Xfs. KILL LINUXCONF! I can think of absolutely no reason why on a coloed server box you would daemonize linuxconf. Actually, I see little reason to daemonize it at all. Once you remove all the unecessary services (ie Linuxconf, ftp, telnet, whatever) make sure you go through the inetd.conf file and comment out/remove all the lines relevant to those services. The pared down list I would suggest reads like this: network random syslog gated OR routed atd crond inetd keytable local and then add whichever of the following services you MEAN to run: httpd named proftpd sshd webmin mysql postfix -- Matthew Micene Systems Development Manager Express Search Inc. www.ExpressSearch.com A host is a host from coast to coast, and no one will talk to a host too close Unless the host that isn't close is busy, hung or dead Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list. -- |--| Buchan MilneMechanical Engineer, Network Manager Cellphone +27824722231 email mailto:[EMAIL PROTECTED] Centre for Automotive Engineering http://www.cae.co.za South Africas first satellite:http://sunsat.ee.sun.ac.za Control Models http://www.control.co.za |Registered Linux User #182071-| Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
Re: [expert] Off to camp once again.
On Tue, 17 Oct 2000, you wrote: Is postfix not necessary if your are going to be getting your security checks mailed to you ? I hadn't thought of that. Very true. In that case the my recommendation would be to spend a bunch of time with the postfix documentation and configure the server as outgoing only as possible, restricting who it receives mail from, who it sends mail to, etc. I was also under the impression from the documentation that it could be set up in a manner similar to sendmail where the postfix clients only ran when explicitly called, but I was setting up a postfix daemon for a mailing list. -- Matthew Micene Systems Development Manager Express Search Inc. www.ExpressSearch.com A host is a host from coast to coast, and no one will talk to a host too close Unless the host that isn't close is busy, hung or dead Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
Re: [expert] Off to camp once again.
As an aside, if anyone is planning or is running webmin, there has been a security update from them that was released today on freshmeat. I urge you all to get it and update your systems. -- Matthew Micene Systems Development Manager Express Search Inc. www.ExpressSearch.com A host is a host from coast to coast, and no one will talk to a host too close Unless the host that isn't close is busy, hung or dead Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
Re: [expert] Off to camp once again.
I rewrite kudzu to end after running. Since you aren't likely to put hardware into a running machine this seems a safe assumption. It may end by itself but it doesn't show anything like that so I just make sure. Unless you are using NFS/NIS get rid of portmap, ypbind, nfslock, and nfs. Unless it's a laptop get rid of pcmcia. You can probably kill named and routed. You only need lpd if your going to be printing. webmin and any ftp server I'd kill. I'd nuke all inetd services. *^*^*^* Have the courage to take your own thoughts seriously, for they will shape you. -- Albert Einstein On Mon, 16 Oct 2000, Eric Mings wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Last week I posted a message about the various steps I had taken to get a linux box ready to send off to my ISP for colocation (camp). I am comfortable with all the administrative, backup, and security steps I outlined in that message. However, I would like to remove any remaining startup services from init 3 that I won't need. The server will be running apache/php/mysql and postfix for use on my web sites. The remaining startup services I have not yet removed from init 3 include: kudzu network portmap ypbind random netfs syslog gated postfix atd crond pcmcia inet routed named lpd nfslock amd keytable sshd webmin httpd proftpd mysql xfs linuxconf local I would appreciate suggestions as to which of these I might still want to remove for security or performance issues. Thanks much! - -- Regards, Eric Mings Ph.D. -BEGIN PGP SIGNATURE- Version: PGP Personal Privacy 6.5.8 iQA/AwUBOetMfw2sxFFGmUQrEQIn8gCg0J53rXhDH2GtuKtnCCpGtuYRfToAn3gE p14hApUr/V3EXaRjWmIhIP7d =JYNc -END PGP SIGNATURE- Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
Re: [expert] Off to camp once again.
On Mon, 16 Oct 2000, you wrote: [all snipped Content-Transfer-Encoding: 7bit] My suggestions and the reasoning behind it: Kill kudzu: you most likely won't be adding hardware. If you really want to use it, start it manually before installing hardware and kill it once you are done. There is no need to daemonize it. Kill ypbind: unless for some reason this machine is a NIS client, this is not needed and a HUGE security hole. if the box IS an NIS client AND you are coloing this box, god bless and pass the ammunition. Kill portmap: unless this is an NFS server, this is another gaping hole. I personally would not colo an NFS server, way to much unsecurable traffic floating on the Internet. Kill netfs and nfslock. again, this box should not be MOUNTING partitions across the Internet on a coloed box. This is for SMB Netware and NFS mounts, NOT recommended by me. kill pcmica: this isn't a laptop, no need for it gated or routed, pick one or the other. They serve the same purpose and WILL interfere with each other. kill named, postfix, httpd, proftpd and mysql unless you have a reason for running them (ie running (in order) a DNS server, a mail server, web server, ftp server or database server or backend) kill lpd, it is HIGHLY unlikely you are going to be using a coloed box as a printserver for any reason. And I can't imagine they are going to provide access to or space for a line printer for you to dump your logs to. Kill amd, unless you need to automount local partitions on the fly there is no need for this that I can think of on a server. Webmin runs its own http daemon. If you are using this to configure and control the box remotely, make sure you have the proper ipchains rules to shutdown access to unauthorized people for this service. Otherwise, shut it off. Xfs can be removed if you are not planning on running any remote X services from the box, and can be manually started and stopped should someone log in on the console and want to start X. Or upgrade to XFree86 4.0.1 that doesn't rely on Xfs. KILL LINUXCONF! I can think of absolutely no reason why on a coloed server box you would daemonize linuxconf. Actually, I see little reason to daemonize it at all. Once you remove all the unecessary services (ie Linuxconf, ftp, telnet, whatever) make sure you go through the inetd.conf file and comment out/remove all the lines relevant to those services. The pared down list I would suggest reads like this: network random syslog gated OR routed atd crond inetd keytable local and then add whichever of the following services you MEAN to run: httpd named proftpd sshd webmin mysql postfix -- Matthew Micene Systems Development Manager Express Search Inc. www.ExpressSearch.com A host is a host from coast to coast, and no one will talk to a host too close Unless the host that isn't close is busy, hung or dead Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
Re: [expert] Off to camp once again.
Thanks much for the replies. Very informative and helpful. I guess the only decision I need to make now is whether to nuke gated or routed. Does it make a difference? Thanks again. -- Regards, Eric Mings Ph.D. Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.
Re: [expert] Off to camp once again.
On Mon, 16 Oct 2000, you wrote: Thanks much for the replies. Very informative and helpful. I guess the only decision I need to make now is whether to nuke gated or routed. Does it make a difference? Thanks again. routeD only implements the RIP protocol. gateD has support for many many many routing protocols, and is more secure after a fashion (mostly because RIP is not particularly secure, and gateD has support for securer protocols). It would depend on what sort of routing this coloed box is going to need, that based on its purpose. If you can get away with a static routing table, you can nuke both.I am not an expert on configuring gateD but have heard its not so bad. Because of the way RIP works, routeD should be start it and forget it. RIP is not real good for border applications due to the lack of security. -- Matthew Micene Systems Development Manager Express Search Inc. www.ExpressSearch.com A host is a host from coast to coast, and no one will talk to a host too close Unless the host that isn't close is busy, hung or dead Keep in touch with http://mandrakeforum.com: Subscribe the "[EMAIL PROTECTED]" mailing list.