Hi again!
Thanks for your quickly answers,
I think I hadn't explained enough clearly in the first mail.
The problem is the following:
I have a SINGLE public ip with an associated domain. In that host I have
a DNS server, mail server, web, etc. The important point is at the DNS.
What i'd
I think it is worth pointing out that port-forwarding has security implications. If
one of your services is compromised (even if it is not running as root) the attacker
now has a good amount of access to your local/internal network. I would only forward
ports when absolutely needed and only
Hi,
Ramon Acedo wrote:
I'd like to have a map like this:
ftp1.mydomain.net --- 192.168.1.10
ftp2.mydomain.net --- 192.168.1.50
www1.mydomain.net --- 192.168.1.12
www2.mydomain.net --- 192.168.1.33
that´s hard, tricky and not always possible.
most protocols (e.g. ftp, telnet, http
It seems to accomplish the example you posed, you need 2 external IPs.
Say they were 1.1.1.1 and 1.1.1.2 for example. Then in DNS you could do:
ftp1 - 1.1.1.1
ftp2 - 1.1.1.2
www1 - 1.1.1.1
www2 - 1.1.1.2
And on your firewall do:
1.1.1.1 port 21 - 192.168.0.10
1.1.1.2 port 21 - 192.168.0.50
Dear all,
first I would like to apologize for my English as I am not a native
speaker.
I'm using Debian Woody with the current bind 9.2.0 and I'm trying to put
it in a chroot jail. I downloaded Scott's Chroot-BIND HOWTO and it
worked very well except for a few small things.
The chroot jail is
Hi, I didn't look at your problem precisely,
I'm writing a script to chroot services automatically,
I've tested it with bind9, here is the log and the
files I have in the jail, it looks to work.
Hope this helps, I'll release the script soon.
Alain
bind9.find
Description: Binary data
IMHO, putting a box on the interweb has security implications. But
port-forwarding in itself isn't exactly a security problem. I use port
forwarding to forward packets do a dmz, so on the off-chance that I am
r00t'd, all they have access to is the dmz. They still would have to be
real sneaky to
Wednesday, February 13, 2002, 5:52:38 PM, Alan James wrote:
Your English is very good actually, you need not apologise.
Thanks. :-)
*a* and *b* confuses me a little. Although rndc.key is in the chrooted
/chroot/named/etc/ I get this error message (in addition
you mean
Wednesday, February 13, 2002, 7:26:56 PM, Alain Tesio wrote:
I'm writing a script to chroot services automatically,
I've tested it with bind9, here is the log and the
files I have in the jail, it looks to work.
Huh, you've put quite much in the jail. I wonder why this might be
necessary
On Wed, 13 Feb 2002 20:26:11 +0100
Marcus Frings [EMAIL PROTECTED] wrote:
Huh, you've put quite much in the jail. I wonder why this might be
necessary since the HOWTO just suggests to put very few files like the
configuration and zone data files in the chroot jail. I'll try to
resolve the
Wednesday, February 13, 2002, 8:33:08 PM, Alain Tesio wrote:
I'll send another post when it's ready, probably this Sunday.
Okay, I won't miss your posting. :-)
Regards,
Marcus
--
Fickle minds, pretentious attitudes
and ugly make-up on ugly faces...
The Goth Goose Of The Week:
On Wed, Feb 13, 2002 at 07:54:00PM +0100, Marcus Frings wrote:
Wednesday, February 13, 2002, 5:52:38 PM, Alan James wrote:
Your English is very good actually, you need not apologise.
Thanks. :-)
*a* and *b* confuses me a little. Although rndc.key is in the chrooted
/chroot/named/etc/
On Monday, February 11, 2002, at 02:54 PM, Jeff Bonner wrote:
But if the machine is restarted, those changes either do not persist
(same kernel) or are quite obvious (modified kernel overwrites the old
one, etc). On the other hand, having a hostile module inserted
into the
kernel not
Wednesday, February 13, 2002, 9:16:48 PM, Reagan Blundell wrote:
Feb 13 17:04:40 iridium named[1525]: none:0: open: /etc/bind/rndc.key: \
file not found
Its looking for the rndc.key file in /etc/bind/ which would be
/chroot/named/etc/bind
You have it in /chroot/named/etc - hence it can't
On 13 Feb 2002 03:35 PM, Anthony DeRobertis wrote:
But if the machine is restarted, those changes either do not
persist (same kernel) or are quite obvious (modified kernel
overwrites the old one, etc). On the other hand, having a
hostile module inserted into the kernel not only allows
In the interest of brevity, thanks to everyone who replied on this
thread!
Jeff Bonner
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Hi,
I'm running Woody at home and have no use for the inetd deamon. I have tried
to un-install the package which provides inetd (netkit-inetd), but it depends
on package netbase so if I remove nekit-inetd I lose netbase.
How can I circumvent this problem?
Thanks,
Stef
--
To
On Wed 13 Feb 02 19:14, Howland, Curtis wrote:
Would simply commenting out all the lines in inetd.conf be sufficient?
I realize that this is not the same as uninstalling, but it's not clear
what the goal is. If the machine is isolated, it doesn't matter. If it's
not isolated,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
maybe this can help:
install rcconf, a tool for selecting which scripts from /etc/init.d are going
to run at boot time and deselect inetd;
it will be disabled, but still on your hard disk
you asked for a circumvention of the problem, not for a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Stefan Srdic [EMAIL PROTECTED] writes:
On Wed 13 Feb 02 19:14, Howland, Curtis wrote:
Would simply commenting out all the lines in inetd.conf be sufficient?
I realize that this is not the same as uninstalling, but it's not clear
what the
The Securing Debian HOWTO makes mention of the possibility that you can
set a partition as read-only, to further protect the various things in
/usr/bin for example. Then when you apt-get upgrade, you can configure
apt to automagically turn off the read-only while needed, then turn it
back on
Hi again!
Thanks for your quickly answers,
I think I hadn't explained enough clearly in the first mail.
The problem is the following:
I have a SINGLE public ip with an associated domain. In that host I have
a DNS server, mail server, web, etc. The important point is at the DNS.
What i'd
I think it is worth pointing out that port-forwarding has security
implications. If one of your services is compromised (even if it is not
running as root) the attacker now has a good amount of access to your
local/internal network. I would only forward ports when absolutely needed and
only
Hi,
Ramon Acedo wrote:
I'd like to have a map like this:
ftp1.mydomain.net --- 192.168.1.10
ftp2.mydomain.net --- 192.168.1.50
www1.mydomain.net --- 192.168.1.12
www2.mydomain.net --- 192.168.1.33
that´s hard, tricky and not always possible.
most protocols (e.g. ftp, telnet, http
It seems to accomplish the example you posed, you need 2 external IPs.
Say they were 1.1.1.1 and 1.1.1.2 for example. Then in DNS you could do:
ftp1 - 1.1.1.1
ftp2 - 1.1.1.2
www1 - 1.1.1.1
www2 - 1.1.1.2
And on your firewall do:
1.1.1.1 port 21 - 192.168.0.10
1.1.1.2 port 21 - 192.168.0.50
Dear all,
first I would like to apologize for my English as I am not a native
speaker.
I'm using Debian Woody with the current bind 9.2.0 and I'm trying to put
it in a chroot jail. I downloaded Scott's Chroot-BIND HOWTO and it
worked very well except for a few small things.
The chroot jail is set
On Wed, 13 Feb 2002 17:19:33 +0100, Marcus Frings [EMAIL PROTECTED]
wrote:
Dear all,
first I would like to apologize for my English as I am not a native
speaker.
Your English is very good actually, you need not apologise.
*a* and *b* confuses me a little. Although rndc.key is in the chrooted
Hi, I didn't look at your problem precisely,
I'm writing a script to chroot services automatically,
I've tested it with bind9, here is the log and the
files I have in the jail, it looks to work.
Hope this helps, I'll release the script soon.
Alain
bind9.find
Description: Binary data
IMHO, putting a box on the interweb has security implications. But
port-forwarding in itself isn't exactly a security problem. I use port
forwarding to forward packets do a dmz, so on the off-chance that I am
r00t'd, all they have access to is the dmz. They still would have to be
real sneaky to
Wednesday, February 13, 2002, 5:52:38 PM, Alan James wrote:
Your English is very good actually, you need not apologise.
Thanks. :-)
*a* and *b* confuses me a little. Although rndc.key is in the chrooted
/chroot/named/etc/ I get this error message (in addition
you mean
Wednesday, February 13, 2002, 7:26:56 PM, Alain Tesio wrote:
I'm writing a script to chroot services automatically,
I've tested it with bind9, here is the log and the
files I have in the jail, it looks to work.
Huh, you've put quite much in the jail. I wonder why this might be
necessary
On Wed, 13 Feb 2002 20:26:11 +0100
Marcus Frings [EMAIL PROTECTED] wrote:
Huh, you've put quite much in the jail. I wonder why this might be
necessary since the HOWTO just suggests to put very few files like the
configuration and zone data files in the chroot jail. I'll try to
resolve the
Wednesday, February 13, 2002, 8:33:08 PM, Alain Tesio wrote:
I'll send another post when it's ready, probably this Sunday.
Okay, I won't miss your posting. :-)
Regards,
Marcus
--
Fickle minds, pretentious attitudes
and ugly make-up on ugly faces...
The Goth Goose Of The Week:
On Wed, Feb 13, 2002 at 07:54:00PM +0100, Marcus Frings wrote:
Wednesday, February 13, 2002, 5:52:38 PM, Alan James wrote:
Your English is very good actually, you need not apologise.
Thanks. :-)
*a* and *b* confuses me a little. Although rndc.key is in the chrooted
/chroot/named/etc/
On Monday, February 11, 2002, at 02:54 PM, Jeff Bonner wrote:
But if the machine is restarted, those changes either do not persist
(same kernel) or are quite obvious (modified kernel overwrites the old
one, etc). On the other hand, having a hostile module inserted
into the
kernel not only
Wednesday, February 13, 2002, 9:16:48 PM, Reagan Blundell wrote:
Feb 13 17:04:40 iridium named[1525]: none:0: open: /etc/bind/rndc.key: \
file not found
Its looking for the rndc.key file in /etc/bind/ which would be
/chroot/named/etc/bind
You have it in /chroot/named/etc - hence it can't
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jeff Bonner [EMAIL PROTECTED] writes:
The Securing Debian HOWTO makes mention of the possibility that you can
set a partition as read-only, to further protect the various things in
/usr/bin for example. Then when you apt-get upgrade, you can
On 13 Feb 2002 03:35 PM, Anthony DeRobertis wrote:
But if the machine is restarted, those changes either do not
persist (same kernel) or are quite obvious (modified kernel
overwrites the old one, etc). On the other hand, having a
hostile module inserted into the kernel not only allows
In the interest of brevity, thanks to everyone who replied on this
thread!
Jeff Bonner
Hi,
I'm running Woody at home and have no use for the inetd deamon. I have
tried
to un-install the package which provides inetd (netkit-inetd), but it depends
on package netbase so if I remove nekit-inetd I lose netbase.
How can I circumvent this problem?
Thanks,
Stef
Stefan Srdic wrote:
Hi,
I'm running Woody at home and have no use for the inetd deamon. I
have tried to un-install the package which provides inetd
(netkit-inetd), but it depends on package netbase so if I remove
nekit-inetd I lose netbase.
How can I circumvent this problem?
apt-get
On Wed 13 Feb 02 19:14, Howland, Curtis wrote:
Would simply commenting out all the lines in inetd.conf be sufficient?
I realize that this is not the same as uninstalling, but it's not clear
what the goal is. If the machine is isolated, it doesn't matter. If it's
not isolated,
In message [EMAIL PROTECTED], Stefan Srdic writes:
My system is my desktop and my server. The machine is
connected to the internet and I use my own IPTables script to protect my
network.
I've used the update-rc.d script to remove the inetd init scripts from all
runlevels. But, I still want to
43 matches
Mail list logo