Gone Paranoid: private IP to public IP!!
Iain Stevenson
yellowdog-general@lists.terrasoftsolutions.com
Sat Jul 6 02:24:01 2002
Hi Juan,
for you
If you do a search on linuxdoc.org it throws up a few references to
tcpwrappers. It may be easiest to buy a book on Linux security. I found:
"Linux System Security: The Administrators guide to open source security
tools", Scott Mann and Ellen Mitchell, Prentice Hall, ISBN 0-13-015807-0
and
"Hacking Linux Exposed". Brian Hatch, James Lee, George Kurtz, McGraw-Hill,
ISBN 0-07-212773-2
... were both useful.
As far as your question about Cisco IOS goes, IOS (Internetwork Operating
System) is just the trade name Cisco uses for its routing code. You may
find more about how to configure Cisco routers by looking for training
material for Cisco's CCNA or CCIE certificates.
Iain
--On Saturday, July 6, 2002 3:24 am -0400 Juan Manuel Palacios
<jmpalacios@mac.com> wrote:
>
> Thanks Ian, very interesting and educating. Your recommendations were
> adopted the minute they were received! Anywhere you know where I could
> look for detailed info about tpcwrappers?
>
> Regards,...
>
>
> Juan.
>
> On Sunday, June 30, 2002, at 03:13 PM, Iain Stevenson wrote:
>
>>
>>
>> --On Sunday, June 30, 2002 1:24 am -0400 Juan Manuel Palacios
>> <jmpalacios@mac.com> wrote:
>>
>>>>
>>>> - go through /etc/xinetd.conf and disable anything you don't need
>>>
>>> That sounds easy enough, I'll get right to it. Disabling the
>>> services I
>>> don't need ensures that the IP ports they bind to will be properly
>>> closed?
>>>
>>
>> Generally, yes. For any daemon that runs exclusively via xinetd this
>> will close the port. Some daemons (eg cyrus imap, postfix, ssh) run
>> outside of xinetd - you need to use tcpwrappers or a firewall script to
>> deal with them.
>>
>>>> - make sure tcpwrappers is correctly installed and that
>>>> /etc/hosts.allow and /etc/hosts.deny are configured correctly
>>>
>>> My knowledge about tcpwrappers is completely null. I don't know
>>> what it
>>> is (service, binary, protocol... ?), where in the filesystem it is or
>>> even what it is for. Any words that might enlighten me on this one
>>> please... ?
>>
>> tcpwappers is a venerable piece of code that sits between many daemons
>> and the external network. Most daemons are built with tcpwrappers
>> support so that they can take advantage of the protection that it gives.
>>
>> I once had a problem with an old copy of tcpwrappers so grab the latest
>> YDL rpm and install it.
>>
>> Make sure /etc/hosts.deny contains this:
>>
>> ALL: ALL
>>
>> This basically denies all TCP/IP accesses that aren't explicitly
>> enabled by /etc/hosts.allow
>>
>> Check if /etc/hosts.allow contains this:
>>
>> ALL: LOCAL
>>
>> That allows access to all the TCP/IP services running on the Linux
>> system from local machines only. Read man hosts.allow for some more
>> examples.
>>
>>>> - install gShield or some other iptables based firewall script - this
>>>> can block high port access amongst other things
>>>
>>> gShield works over iptables, with its commands and syntax? I
>>> really want
>>> to give iptables a good shot.
>>>
>>
>> Yes - gShield is just a clever script for setting up iptables rules -
>> you don't really want to get into working iptables out for yourself.
>> Just grab the script from here:
>>
>> ftp://muse.linuxmafia.org/pub/gShield/v2/gShield-2.8.tgz
>>
>> Assuming you downloaded the script to /home/somewhere, install the
>> script (as root):
>>
>> cd /etc
>> tar xvfz /home/somewhere/gShield-2.8.tgz
>> mv gShield-2.8 firewall
>> cd firewall
>>
>> Then edit gShield.conf to suit your needs. I start the script from
>> /etc/rc.local by including this line:
>>
>> /etc/firewall/gShield.rc
>>
>> That's it.
>>
>> Iain
>>
>> _______________________________________________
>> yellowdog-general mailing list
>> yellowdog-general@lists.terrasoftsolutions.com
>> http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general
>
> _______________________________________________
> yellowdog-general mailing list
> yellowdog-general@lists.terrasoftsolutions.com
> http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general
>