RE: [newbie] Fostering the linux comunity spirit...... and a question about mandrake security level..and another one on Bind..
OK, so they just closed it up using ipchhains? if thats it, then I have no problems, I know my way around ipchains fules.. I thought the security script may have done other stuff to close ports and stuff. gonna have to learn iptables when 8.1 comes out though... rgds Frank -Original Message- From: Michael D. Viron [mailto:[EMAIL PROTECTED]] Sent: Saturday, 15 September 2001 12:45 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [newbie] Fostering the linux comunity spirit.. and a question about mandrake security level..and another one on Bind.. >Is there anything available that explains how to open just what I need?? >(ie how to get port 25 open and listening for postfix... ditto with 80 and >httpd, ditto with bind on 53 (or the high ports) ssh,,, etc, etc, you get >the idea. well, this depends on whether you are using iptables or ipchains. If you are using ipchains, you can do something like: 'ipchains -A input -s 0/0 -d 0/0 80 -p tcp -y -j ACCEPT' which allows connections coming from and going anywhere on port 80. The 80 can very easily be changed to accomodate other ports you need to have open to anyone. If you have "trusted" hosts (ie, machines under your direct control), you can then also do something like: 'ipchains -A input -s 111.11.11.122 -d 0/0 -p all -j ACCEPT' which will allow any type of connection from that machine (either udp or tcp). with a destination of anywhere. >It seems more logical then starting at security level Medium and then >installing the secure kernel, pmfirewall, portsentry. and trying to harden >it as much as possible myself,,, if I could start hard and soften to my >needs, no doubt it would be more secure in the long run. (not that I >wouldn't do all of the above even if I could do it,, I just think the end >results would be more secure. > >also, if you run a newer bind, and it is using the higher ports, how can you >open the firewall to allow it if you don't know that ports its using??? I >have our bind tied to port 53, and it gets lots of attack attempts >(thousands) and I'd like to block 53 and open the higher ports... does >anyone know anything about this?? Well, the easiest way to block the port 53 attacks is to disallow all connections by default, and then only allow connections depending on need. For example, my ipchains file (in /etc/sysconfig) has: -A input -s 111.11.11.111 53 -d 0/0 -p udp -j ACCEPT which allows connections originating from my nameserver(s) and going anywhere. All other connection attempts on port 53 will be blocked (ip changed for security reasons). Michael -- Michael Viron Registered Linux User #81978 Senior Systems & Administration Consultant Web Spinners, University of West Florida Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Fostering the linux comunity spirit...... and a question about mandrake security level..and another one on Bind..
Hi all, I have been scanning these off topic USA posts since they started on my windows box, and i never delete the mandrake posts. so my outlook.pst file is 700 mb... nasty that,,, anyway, my thought is this,,, some things that are off topic should be ok, if they help foster the linux community spirit, and co-operation... Once things degenerate to all out name calling and fighting, its doing the opposite to the above and quite rightly should be taken off the list... We want to appear as rational, logical people to the world, not linux fanatics... remember all these posts get archived to the web and are searchable by google, (someone did a search for me the other day and found about 1000 links from the 15 or 20 lists I am on...) How do you want us to appear to the world?? keep that in mind We want to make the windows users look like the illogical, arguementative and irrationnal people... so when it starts being less then beneficial and friendly, then it should be removed... As an example, the USA thing was fine when it was a sharing of thoughts, sympathy, prayers and support.. (this helps healing and understanding.) It bordered on "not so fine" when it became a discussion on racism, prejudice and blame(this fosters bad feelings, predominately anger.) you see my point... I think Mandrake did the right thing to try to stop the thread, it could have been worded alittle more sensitively... but it is their mailing list, and it was starting to become arguementative and combative... name hncalling and insults achieve nothing except to make us look bad. and this was my last say on the subject. One another subject, if I want to set security level 5 or high,, (to start really closed system, and then open just what I need... ) Is there anything available that explains how to open just what I need?? (ie how to get port 25 open and listening for postfix... ditto with 80 and httpd, ditto with bind on 53 (or the high ports) ssh,,, etc, etc, you get the idea. It seems more logical then starting at security level Medium and then installing the secure kernel, pmfirewall, portsentry. and trying to harden it as much as possible myself,,, if I could start hard and soften to my needs, no doubt it would be more secure in the long run. (not that I wouldn't do all of the above even if I could do it,, I just think the end results would be more secure. also, if you run a newer bind, and it is using the higher ports, how can you open the firewall to allow it if you don't know that ports its using??? I have our bind tied to port 53, and it gets lots of attack attempts (thousands) and I'd like to block 53 and open the higher ports... does anyone know anything about this?? rgds Frank Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com