[NTLUG:Discuss] Anyone runs ftp, mail server, httpd and get catched from @home
MadHat
madhat at unspecific.com
Thu Jan 11 11:32:46 CST 2001
All this talk is all fine and dandy, but if you block all of @home and att
and such from your server, you can't receive mail from anyone on those
domains (that use their servers), and they can't surf your site that you
are wanting to hosting...
remember where the conversation started? Someone asked about hosting
servers on their @home account. If you want the server to be usable by the
general public, you can't put broad restrictions on it and have it really
usable by just anyone on the net (which if you are hosting a web site or
your own mail, you really need that general, unrestricted access).
The below is the best for protecting your system and you still want to be
able to get to it from outside (this is what I do, all I host is ssh), but
if you want to be able to host DNS and/or a web site and/or mail and such,
you can't really do that. Not to mention that sendmail and httpd, for
example, don't use tcp_wrappers and /etc/hosts.allow and deny, so the below
would be useless for those daemons and anything else that doesn't use them.
My point was simple, yes you can do it, and probably won't be caught, but
you might be, even if you take measures to keep from being noticed. To
make it all truly usable, you have to be open to the world for certain
daemons, and therefore have a greater risk of being discovered. If they
want to find you, they will, it is very easy for anyone, and even easier
from their vantage point.
At 11:00 AM 1/11/2001 -0600, you wrote:
>* egbert at efficient.com [2001.01.10 17:25]:
>: Actually, I think you would have a better chance of coverage if you do the
>: following:
>:
>: /etc/hosts.deny
>: ALL: tci.net, tci.com, home.net, att.net
>:
>:
>: HOME.NET is used frequently by @Home corporate and network operation center.
>:
>: But, as a warning, this hosts.deny would not stop unregistered IP address or
>: contracted security-scanner hosts.
>:
>: S
>
>Actually, the better way to cover you butt is this:
>
>/etc/hosts.deny
>ALL: ALL
>
>/etc/hosts.allow
>ALL: 127.0.0.1
>sshd: 10.10.2.
>
>Where your hosts.allow is a list of services and IPs/networks you
>"trust". And of course, use firewalling. There is a *massive*
>firewalling script on freshmeat that I usually steal ideas from. It's
>way to complicated/bloated for my general usages, but you can check it
>out here: http://freshmeat.net/projects/rc.firewall/
>--
>cameron
>[ I spilled spot remover on my dog. He's gone now. ]
>_______________________________________________
>http://ntlug.org/mailman/listinfo/discuss
--
MadHat at unspecific.com
More information about the Discuss
mailing list