Gone Paranoid: private IP to public IP!!
Juan Manuel Palacios
yellowdog-general@lists.terrasoftsolutions.com
Sat Jul 6 01:21:00 2002
Thanks Ian, very interesting and educating. Your recommendations
were adopted the minute they were received! Anywhere you know where I
could look for detailed info about tpcwrappers?
Regards,...
Juan.
On Sunday, June 30, 2002, at 03:13 PM, Iain Stevenson wrote:
>
>
> --On Sunday, June 30, 2002 1:24 am -0400 Juan Manuel Palacios
> <jmpalacios@mac.com> wrote:
>
>>>
>>> - go through /etc/xinetd.conf and disable anything you don't need
>>
>> That sounds easy enough, I'll get right to it. Disabling the
>> services I
>> don't need ensures that the IP ports they bind to will be properly
>> closed?
>>
>
> Generally, yes. For any daemon that runs exclusively via xinetd this
> will close the port. Some daemons (eg cyrus imap, postfix, ssh) run
> outside of xinetd - you need to use tcpwrappers or a firewall script to
> deal with them.
>
>>> - make sure tcpwrappers is correctly installed and that
>>> /etc/hosts.allow and /etc/hosts.deny are configured correctly
>>
>> My knowledge about tcpwrappers is completely null. I don't know
>> what it
>> is (service, binary, protocol... ?), where in the filesystem it is or
>> even what it is for. Any words that might enlighten me on this one
>> please... ?
>
> tcpwappers is a venerable piece of code that sits between many daemons
> and the external network. Most daemons are built with tcpwrappers
> support so that they can take advantage of the protection that it gives.
>
> I once had a problem with an old copy of tcpwrappers so grab the latest
> YDL rpm and install it.
>
> Make sure /etc/hosts.deny contains this:
>
> ALL: ALL
>
> This basically denies all TCP/IP accesses that aren't explicitly
> enabled by /etc/hosts.allow
>
> Check if /etc/hosts.allow contains this:
>
> ALL: LOCAL
>
> That allows access to all the TCP/IP services running on the Linux
> system from local machines only. Read man hosts.allow for some more
> examples.
>
>>> - install gShield or some other iptables based firewall script - this
>>> can block high port access amongst other things
>>
>> gShield works over iptables, with its commands and syntax? I
>> really want
>> to give iptables a good shot.
>>
>
> Yes - gShield is just a clever script for setting up iptables rules -
> you don't really want to get into working iptables out for yourself.
> Just grab the script from here:
>
> ftp://muse.linuxmafia.org/pub/gShield/v2/gShield-2.8.tgz
>
> Assuming you downloaded the script to /home/somewhere, install the
> script (as root):
>
> cd /etc
> tar xvfz /home/somewhere/gShield-2.8.tgz
> mv gShield-2.8 firewall
> cd firewall
>
> Then edit gShield.conf to suit your needs. I start the script from
> /etc/rc.local by including this line:
>
> /etc/firewall/gShield.rc
>
> That's it.
>
> Iain
>
> _______________________________________________
> yellowdog-general mailing list
> yellowdog-general@lists.terrasoftsolutions.com
> http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general