Can anyone help? See below. --- Cylar Z <[EMAIL PROTECTED]> wrote:
> Date: Thu, 18 Aug 2005 22:08:24 -0700 (PDT) > From: Cylar Z <[EMAIL PROTECTED]> > Subject: Re: [vox-tech] DNS and security > To: Rick Moen <[EMAIL PROTECTED]> > > Rick: > > Thanks so much for the information-packed response. > It's going to take me some time to wade through > everything you said, and some of it frankly is over > my > head. I suppose this will be a learning experience > for > me. I'm a newbie and have a LOT to learn, since the > Linux courses I took at ARC didn't cover anything > related to system administration. > > Someone posted a reply to my query on the LUGOD > mailing list already - perhaps you saw it. (Or was > that you?) In any case, I took his advice and shut > down all the daemons that weren't on the list I made > during my original posting. Well, my box is now > broken. I can't even ping it. I can only guess that > I > wound up shutting off something that was vital to > the > system. I can't determine what, until I actually get > to where the server is physically located (about an > hour away) and then hope I can log in directly. > Basically, I killed EVERYTHING except sshd, httpd, > sendmail, and cron. Could it have been "portmap" > that > was the vital one? Network? Anacron? I have no idea, > do you? > > Once I undo whatever it was I did, I'll be back at > square one with the original problem, and so I > wanted > to ask you a follow-up question. Both you and the > other poster mentioned modifying the file > /etc/resolv.conf. Is that really going to accomplish > anything? I modified the file as directed, but never > got a chance to see if it worked or not, since the > system quit responding after I did this, modified > the > startup daemon scheme, and rebooted. > > My understanding is that resolv.conf is the > configuration file for the "named" daemon. Named > isn't > running on my system. I was told by another source > that A) it's a security risk, B) no longer required, > since the server's domain registrar can handle > incoming DNS and C) it wasn't running on a prior > Linux > install (Xandros, based on Debian) and yet both > incoming and outgoing DNS functionality were perfect > then. Please render your input on this situation. > > I need to get outgoing DNS working so that I can > surf > the Web from the console, and run the yum updater > command properly. > > Just FYI, my system hosts 2 virtual domains in > addition to the "main" one. In the event resolv.conf > really does need to be modified as you prescribed, > would I need to mention the virtual domains in the > resolv file? I wouldn't think so, since they only > come > into play as per incoming HTTP requests, and my > registrar is handling the DNS on that. > > As to FTP, I won't be running it anonymously. I > simply > need a means of transfering my webpage files to the > server remotely. My server only has one user - me. > At > present, nobody else has any reason to be connecting > to it at any time. If FTP is unsecure in your view > (due to its lack of encryption): > > 1. What do you suggest as a safer alternative? > 2. What's the best way of "shutting off" FTP? Just > close its port on the firewall? > > There's no FTP "server" per se running on my box, > nor > does there need to be. All I need to do is upload > webpage files. > > As to our conversation about xinetd, do I need it > and > it's "child daemons" or not? I'm a bit confused. > Both > you and the other guy asked the same question, "Why > do > you need xinetd?" I don't know if I do or not - > that's > what I'm asking! :) I simply assumed I did since it > seems to control so many other things. > > You know my requirements - mail server, http server, > secure ftp access, command-prompt via SSH2. That's > all. > No file-sharing, no print server, no routing, no > Samba, no anonymous FTP, none of that stuff. I want > to > shut off anything that isn't absolutely necessary, > but > I can't seem to locate a comprehensive guide to what > each service does so I can figure out if it's needed > or not. > > Thanks again for all your help. > > Matt > > --- Rick Moen <[EMAIL PROTECTED]> wrote: > > > Quoting Cylar Z ([EMAIL PROTECTED]): > > > > > I'm a fairly new Linux admin, running Fedora > Core > > from > > > Redhat. > > > > Hi, Matt. For a good overview, please see Linux > > Journal editor Don > > Marti's overview, which I just saw him mention on > a > > different Linux > > mailing list: > > > http://zgp.org/~dmarti/blosxom/tips/new-server.html > > > > > 1. Outgoing DNS isn't working properly on my > > server. The box will > > > respond properly to incoming http requests (and > > even allowed me to > > > host 2 virtual domains, which also respond > > properly). However, it does > > > NOT surf the web from the console or ping by > > domain name. It WILL ping > > > by IP so I know the issue is DNS and not my > actual > > connection per se. > > > How do I put in the DNS info in Fedora Core? I > > tried logging on as > > > root, typing "setup" and entering the IP's in > the > > designated spaces, > > > but no luck. Is there another way? > > > > The IP-address locations of the DNS servers your > box > > will be consulting > > are always recorded in /etc/resolv.conf, the > > configuration file of your > > host's DNS resolver library (i.e., of the DNS > client > > software your box > > uses to deal with DNS questions that must be > > referred to a DNS daemon > > running somewhere). > > > > Here's my own server's /etc/resolv.conf: > > > > search linuxmafia.com deirdre.org > > nameserver 198.144.192.2 > > nameserver 198.144.192.4 > > nameserver 198.144.195.186 > > > > Distributions differ in what tools they prefer you > > to use, in editing > > your system configuration files. Of course, you > can > > always ignore those > > intentions and use $MY_FAVOURITE_TEXT_EDITOR -- > > which is what I > > personally tend to do -- but your Fedora > > documentation may well have > > something to say about that. > > > > > > > 2. In the interest of system security, I want to > > run the absolute > > > minimum number of daemons/services. Which ones > do > > I really, really > > > need? > > > > That's an excellent and really important question. > > > > Many people approach this question from a > functional > > perspective. That > > is, they say, if you want to determine which > daemons > > you need, try > > switching each of them off, in turn, and find out > if > > anything you care > > about breaks. Of course, in a strict sense, > nobody > > but you can tell you > > what your box needs to run, anyway, because only > you > > know what roles > > your box needs to fulfill. > > > > > So far I've established that I need httpd, sshd, > > sendmail, xinetd, and > > > possibly cron. > > > > Please note that "xinetd" is an example of what is > > called a > > "superserver", i.e., a server whose purpose is to > > load and launch other > > servers (daemons) under its control and > supervision, > > in part so that > > those servers don't need to be loaded into RAM all > > the time, but instead > > can be loaded only when there's an incoming > request > > for them. > > > > One consequence of this is that xinetd has its own > > configuration file, > > /etc/xinetd.conf, and a directory of configuration > > files for each > > supervised server, /etc/xinetd.d/ . The files in > > /etc/xinetd.d/ > > specify, among other things, whether xinetd shall > be > > willing to launch > > this daemon at all, if there's an incoming > request. > > > > Here, for example, is /etc/xinetd.d/chargen , with > > the option > > "disable=yes": > > > > # default: off > > # description: An xinetd internal service which > > generate characters. \ > > # The xinetd internal service which continuously > > generates characters \ > > # until the connection is dropped. The > characters > > look something like > > # this: \ > > # > > > !"#$%&'()*+,-./0123456789:;<=>[EMAIL PROTECTED] > > # \ > > # This is the tcp version. > > service chargen > > { > > disable = yes > > type = INTERNAL > > id = chargen-stream > > socket_type = stream > > protocol = tcp > > user = root > > wait = no > > } > > > > Given that you've elected to leave xinetd running, > > it's in your interest > > to go through each of the files in /etc/xinetd.d/ > > individually, and > > decide for each one whether you can imagine any > > reason why you want to > > offer up that daemon as an available service to > > remote machines. > > > > I picked "chargen" (a character-stream generator > > that, if running, spews > > out a stream of ASCII on TCP or UDP port 19; > really, > > that's _all_ it > > does) as an example because it examplifies pretty > > well the point that > > many xinetd services are leftover antiques of no > > real use to most people > > -- and who knows what mischief someone might carry > > out using them? The > > paranoiac's view would be: If you don't know why > > you need a running > > daemon, shut it off until and unless you determine > > otherwise. > > > > By the way, your system almost certainly needs to > > run cron because it > > supervises periodic housekeeping scripts that need > > to be run at specific > > regular times. Fortunately, it is not > > network-accessible from > > elsewhere. > > > > > Are there any others that are suggested that I > be > > running? > > > > And the answer to that depends entirely on what > the > > machine needs to do. > > > > > This server responds to web requests and lets me > > SSH in remotely. (I > > > don't use Telnet.) That's about all it needs to > > do. > > > > This begs the question of why you say it also > needs > > to run xinetd. > > You might, or you might not. It depends on > whether > > you have any use for > > any of the couple-dozen minor services xinetd is > > capable of offering. > > You decided. > > > > > Also, is FTP a security risk, or is it safe to > > leave this port open? > > > > This is a controversial question. > > > > Many people feel that ftp is redundant in an era > of > > pervasive http > > implementations. (Note that http is a simpler > > protocol and doesn't have > > the slightly problematic feature of using a > control > > TCP port as well > > as a data-transmission TCP port. That feature of > > ftp tends to make it > > slightly difficult to control at IP-filtering > > firewalls, and you end up > > having to adopt palliative measures like running > all > > ftp sessions in > > what is called "passive ftp mode".) > > > > I personally got a little tired of hearing that > > stated as a blanket > > > === message truncated === > > > > "Our nation has defended itself and served the > freedom of all mankind. I'm proud to lead such an > amazing country and I'm proud to lead it forward." > - President George W Bush, November 3 2004 > > God give wisdom to our leaders. God bless America. > > > > ____________________________________________________ > Start your day with Yahoo! - make it your home page > http://www.yahoo.com/r/hs > > "Our nation has defended itself and served the freedom of all mankind. I'm proud to lead such an amazing country and I'm proud to lead it forward." - President George W Bush, November 3 2004 God give wisdom to our leaders. God bless America. ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs _______________________________________________ vox-tech mailing list vox-tech@lists.lugod.org http://lists.lugod.org/mailman/listinfo/vox-tech